1/* $NetBSD: smtpd.c,v 1.16 2018/02/01 03:32:00 christos Exp $ */
2
3/*++
4/* NAME
5/* smtpd 8
6/* SUMMARY
7/* Postfix SMTP server
8/* SYNOPSIS
9/* \fBsmtpd\fR [generic Postfix daemon options]
10/*
11/* \fBsendmail -bs\fR
12/* DESCRIPTION
13/* The SMTP server accepts network connection requests
14/* and performs zero or more SMTP transactions per connection.
15/* Each received message is piped through the \fBcleanup\fR(8)
16/* daemon, and is placed into the \fBincoming\fR queue as one
17/* single queue file. For this mode of operation, the program
18/* expects to be run from the \fBmaster\fR(8) process manager.
19/*
20/* Alternatively, the SMTP server be can run in stand-alone
21/* mode; this is traditionally obtained with "\fBsendmail
22/* -bs\fR". When the SMTP server runs stand-alone with non
23/* $\fBmail_owner\fR privileges, it receives mail even while
24/* the mail system is not running, deposits messages directly
25/* into the \fBmaildrop\fR queue, and disables the SMTP server's
26/* access policies. As of Postfix version 2.3, the SMTP server
27/* refuses to receive mail from the network when it runs with
28/* non $\fBmail_owner\fR privileges.
29/*
30/* The SMTP server implements a variety of policies for connection
31/* requests, and for parameters given to \fBHELO, ETRN, MAIL FROM, VRFY\fR
32/* and \fBRCPT TO\fR commands. They are detailed below and in the
33/* \fBmain.cf\fR configuration file.
34/* SECURITY
35/* .ad
36/* .fi
37/* The SMTP server is moderately security-sensitive. It talks to SMTP
38/* clients and to DNS servers on the network. The SMTP server can be
39/* run chrooted at fixed low privilege.
40/* STANDARDS
41/* RFC 821 (SMTP protocol)
42/* RFC 1123 (Host requirements)
43/* RFC 1652 (8bit-MIME transport)
44/* RFC 1869 (SMTP service extensions)
45/* RFC 1870 (Message size declaration)
46/* RFC 1985 (ETRN command)
47/* RFC 2034 (SMTP enhanced status codes)
48/* RFC 2554 (AUTH command)
49/* RFC 2821 (SMTP protocol)
50/* RFC 2920 (SMTP pipelining)
51/* RFC 3207 (STARTTLS command)
52/* RFC 3461 (SMTP DSN extension)
53/* RFC 3463 (Enhanced status codes)
54/* RFC 3848 (ESMTP transmission types)
55/* RFC 4409 (Message submission)
56/* RFC 4954 (AUTH command)
57/* RFC 5321 (SMTP protocol)
58/* RFC 6531 (Internationalized SMTP)
59/* RFC 6533 (Internationalized Delivery Status Notifications)
60/* RFC 7505 ("Null MX" No Service Resource Record)
61/* DIAGNOSTICS
62/* Problems and transactions are logged to \fBsyslogd\fR(8).
63/*
64/* Depending on the setting of the \fBnotify_classes\fR parameter,
65/* the postmaster is notified of bounces, protocol problems,
66/* policy violations, and of other trouble.
67/* CONFIGURATION PARAMETERS
68/* .ad
69/* .fi
70/* Changes to \fBmain.cf\fR are picked up automatically, as \fBsmtpd\fR(8)
71/* processes run for only a limited amount of time. Use the command
72/* "\fBpostfix reload\fR" to speed up a change.
73/*
74/* The text below provides only a parameter summary. See
75/* \fBpostconf\fR(5) for more details including examples.
76/* COMPATIBILITY CONTROLS
77/* .ad
78/* .fi
79/* The following parameters work around implementation errors in other
80/* software, and/or allow you to override standards in order to prevent
81/* undesirable use.
82/* .ad
83/* .fi
84/* .IP "\fBbroken_sasl_auth_clients (no)\fR"
85/* Enable interoperability with remote SMTP clients that implement an obsolete
86/* version of the AUTH command (RFC 4954).
87/* .IP "\fBdisable_vrfy_command (no)\fR"
88/* Disable the SMTP VRFY command.
89/* .IP "\fBsmtpd_noop_commands (empty)\fR"
90/* List of commands that the Postfix SMTP server replies to with "250
91/* Ok", without doing any syntax checks and without changing state.
92/* .IP "\fBstrict_rfc821_envelopes (no)\fR"
93/* Require that addresses received in SMTP MAIL FROM and RCPT TO
94/* commands are enclosed with <>, and that those addresses do
95/* not contain RFC 822 style comments or phrases.
96/* .PP
97/* Available in Postfix version 2.1 and later:
98/* .IP "\fBsmtpd_reject_unlisted_sender (no)\fR"
99/* Request that the Postfix SMTP server rejects mail from unknown
100/* sender addresses, even when no explicit reject_unlisted_sender
101/* access restriction is specified.
102/* .IP "\fBsmtpd_sasl_exceptions_networks (empty)\fR"
103/* What remote SMTP clients the Postfix SMTP server will not offer
104/* AUTH support to.
105/* .PP
106/* Available in Postfix version 2.2 and later:
107/* .IP "\fBsmtpd_discard_ehlo_keyword_address_maps (empty)\fR"
108/* Lookup tables, indexed by the remote SMTP client address, with
109/* case insensitive lists of EHLO keywords (pipelining, starttls, auth,
110/* etc.) that the Postfix SMTP server will not send in the EHLO response
111/* to a
112/* remote SMTP client.
113/* .IP "\fBsmtpd_discard_ehlo_keywords (empty)\fR"
114/* A case insensitive list of EHLO keywords (pipelining, starttls,
115/* auth, etc.) that the Postfix SMTP server will not send in the EHLO
116/* response
117/* to a remote SMTP client.
118/* .IP "\fBsmtpd_delay_open_until_valid_rcpt (yes)\fR"
119/* Postpone the start of an SMTP mail transaction until a valid
120/* RCPT TO command is received.
121/* .PP
122/* Available in Postfix version 2.3 and later:
123/* .IP "\fBsmtpd_tls_always_issue_session_ids (yes)\fR"
124/* Force the Postfix SMTP server to issue a TLS session id, even
125/* when TLS session caching is turned off (smtpd_tls_session_cache_database
126/* is empty).
127/* .PP
128/* Available in Postfix version 2.6 and later:
129/* .IP "\fBtcp_windowsize (0)\fR"
130/* An optional workaround for routers that break TCP window scaling.
131/* .PP
132/* Available in Postfix version 2.7 and later:
133/* .IP "\fBsmtpd_command_filter (empty)\fR"
134/* A mechanism to transform commands from remote SMTP clients.
135/* .PP
136/* Available in Postfix version 2.9 and later:
137/* .IP "\fBsmtpd_per_record_deadline (normal: no, overload: yes)\fR"
138/* Change the behavior of the smtpd_timeout and smtpd_starttls_timeout
139/* time limits, from a
140/* time limit per read or write system call, to a time limit to send
141/* or receive a complete record (an SMTP command line, SMTP response
142/* line, SMTP message content line, or TLS protocol message).
143/* .PP
144/* Available in Postfix version 3.0 and later:
145/* .IP "\fBsmtpd_dns_reply_filter (empty)\fR"
146/* Optional filter for Postfix SMTP server DNS lookup results.
147/* ADDRESS REWRITING CONTROLS
148/* .ad
149/* .fi
150/* See the ADDRESS_REWRITING_README document for a detailed
151/* discussion of Postfix address rewriting.
152/* .IP "\fBreceive_override_options (empty)\fR"
153/* Enable or disable recipient validation, built-in content
154/* filtering, or address mapping.
155/* .PP
156/* Available in Postfix version 2.2 and later:
157/* .IP "\fBlocal_header_rewrite_clients (permit_inet_interfaces)\fR"
158/* Rewrite message header addresses in mail from these clients and
159/* update incomplete addresses with the domain name in $myorigin or
160/* $mydomain; either don't rewrite message headers from other clients
161/* at all, or rewrite message headers and update incomplete addresses
162/* with the domain specified in the remote_header_rewrite_domain
163/* parameter.
164/* BEFORE-SMTPD PROXY AGENT
165/* .ad
166/* .fi
167/* Available in Postfix version 2.10 and later:
168/* .IP "\fBsmtpd_upstream_proxy_protocol (empty)\fR"
169/* The name of the proxy protocol used by an optional before-smtpd
170/* proxy agent.
171/* .IP "\fBsmtpd_upstream_proxy_timeout (5s)\fR"
172/* The time limit for the proxy protocol specified with the
173/* smtpd_upstream_proxy_protocol parameter.
174/* AFTER QUEUE EXTERNAL CONTENT INSPECTION CONTROLS
175/* .ad
176/* .fi
177/* As of version 1.0, Postfix can be configured to send new mail to
178/* an external content filter AFTER the mail is queued. This content
179/* filter is expected to inject mail back into a (Postfix or other)
180/* MTA for further delivery. See the FILTER_README document for details.
181/* .IP "\fBcontent_filter (empty)\fR"
182/* After the message is queued, send the entire message to the
183/* specified \fItransport:destination\fR.
184/* BEFORE QUEUE EXTERNAL CONTENT INSPECTION CONTROLS
185/* .ad
186/* .fi
187/* As of version 2.1, the Postfix SMTP server can be configured
188/* to send incoming mail to a real-time SMTP-based content filter
189/* BEFORE mail is queued. This content filter is expected to inject
190/* mail back into Postfix. See the SMTPD_PROXY_README document for
191/* details on how to configure and operate this feature.
192/* .IP "\fBsmtpd_proxy_filter (empty)\fR"
193/* The hostname and TCP port of the mail filtering proxy server.
194/* .IP "\fBsmtpd_proxy_ehlo ($myhostname)\fR"
195/* How the Postfix SMTP server announces itself to the proxy filter.
196/* .IP "\fBsmtpd_proxy_options (empty)\fR"
197/* List of options that control how the Postfix SMTP server
198/* communicates with a before-queue content filter.
199/* .IP "\fBsmtpd_proxy_timeout (100s)\fR"
200/* The time limit for connecting to a proxy filter and for sending or
201/* receiving information.
202/* BEFORE QUEUE MILTER CONTROLS
203/* .ad
204/* .fi
205/* As of version 2.3, Postfix supports the Sendmail version 8
206/* Milter (mail filter) protocol. These content filters run
207/* outside Postfix. They can inspect the SMTP command stream
208/* and the message content, and can request modifications before
209/* mail is queued. For details see the MILTER_README document.
210/* .IP "\fBsmtpd_milters (empty)\fR"
211/* A list of Milter (mail filter) applications for new mail that
212/* arrives via the Postfix \fBsmtpd\fR(8) server.
213/* .IP "\fBmilter_protocol (6)\fR"
214/* The mail filter protocol version and optional protocol extensions
215/* for communication with a Milter application; prior to Postfix 2.6
216/* the default protocol is 2.
217/* .IP "\fBmilter_default_action (tempfail)\fR"
218/* The default action when a Milter (mail filter) application is
219/* unavailable or mis-configured.
220/* .IP "\fBmilter_macro_daemon_name ($myhostname)\fR"
221/* The {daemon_name} macro value for Milter (mail filter) applications.
222/* .IP "\fBmilter_macro_v ($mail_name $mail_version)\fR"
223/* The {v} macro value for Milter (mail filter) applications.
224/* .IP "\fBmilter_connect_timeout (30s)\fR"
225/* The time limit for connecting to a Milter (mail filter)
226/* application, and for negotiating protocol options.
227/* .IP "\fBmilter_command_timeout (30s)\fR"
228/* The time limit for sending an SMTP command to a Milter (mail
229/* filter) application, and for receiving the response.
230/* .IP "\fBmilter_content_timeout (300s)\fR"
231/* The time limit for sending message content to a Milter (mail
232/* filter) application, and for receiving the response.
233/* .IP "\fBmilter_connect_macros (see 'postconf -d' output)\fR"
234/* The macros that are sent to Milter (mail filter) applications
235/* after completion of an SMTP connection.
236/* .IP "\fBmilter_helo_macros (see 'postconf -d' output)\fR"
237/* The macros that are sent to Milter (mail filter) applications
238/* after the SMTP HELO or EHLO command.
239/* .IP "\fBmilter_mail_macros (see 'postconf -d' output)\fR"
240/* The macros that are sent to Milter (mail filter) applications
241/* after the SMTP MAIL FROM command.
242/* .IP "\fBmilter_rcpt_macros (see 'postconf -d' output)\fR"
243/* The macros that are sent to Milter (mail filter) applications
244/* after the SMTP RCPT TO command.
245/* .IP "\fBmilter_data_macros (see 'postconf -d' output)\fR"
246/* The macros that are sent to version 4 or higher Milter (mail
247/* filter) applications after the SMTP DATA command.
248/* .IP "\fBmilter_unknown_command_macros (see 'postconf -d' output)\fR"
249/* The macros that are sent to version 3 or higher Milter (mail
250/* filter) applications after an unknown SMTP command.
251/* .IP "\fBmilter_end_of_header_macros (see 'postconf -d' output)\fR"
252/* The macros that are sent to Milter (mail filter) applications
253/* after the end of the message header.
254/* .IP "\fBmilter_end_of_data_macros (see 'postconf -d' output)\fR"
255/* The macros that are sent to Milter (mail filter) applications
256/* after the message end-of-data.
257/* .PP
258/* Available in Postfix version 3.1 and later:
259/* .IP "\fBmilter_macro_defaults (empty)\fR"
260/* Optional list of \fIname=value\fR pairs that specify default
261/* values for arbitrary macros that Postfix may send to Milter
262/* applications.
263/* GENERAL CONTENT INSPECTION CONTROLS
264/* .ad
265/* .fi
266/* The following parameters are applicable for both built-in
267/* and external content filters.
268/* .PP
269/* Available in Postfix version 2.1 and later:
270/* .IP "\fBreceive_override_options (empty)\fR"
271/* Enable or disable recipient validation, built-in content
272/* filtering, or address mapping.
273/* EXTERNAL CONTENT INSPECTION CONTROLS
274/* .ad
275/* .fi
276/* The following parameters are applicable for both before-queue
277/* and after-queue content filtering.
278/* .PP
279/* Available in Postfix version 2.1 and later:
280/* .IP "\fBsmtpd_authorized_xforward_hosts (empty)\fR"
281/* What remote SMTP clients are allowed to use the XFORWARD feature.
282/* SASL AUTHENTICATION CONTROLS
283/* .ad
284/* .fi
285/* Postfix SASL support (RFC 4954) can be used to authenticate remote
286/* SMTP clients to the Postfix SMTP server, and to authenticate the
287/* Postfix SMTP client to a remote SMTP server.
288/* See the SASL_README document for details.
289/* .IP "\fBbroken_sasl_auth_clients (no)\fR"
290/* Enable interoperability with remote SMTP clients that implement an obsolete
291/* version of the AUTH command (RFC 4954).
292/* .IP "\fBsmtpd_sasl_auth_enable (no)\fR"
293/* Enable SASL authentication in the Postfix SMTP server.
294/* .IP "\fBsmtpd_sasl_local_domain (empty)\fR"
295/* The name of the Postfix SMTP server's local SASL authentication
296/* realm.
297/* .IP "\fBsmtpd_sasl_security_options (noanonymous)\fR"
298/* Postfix SMTP server SASL security options; as of Postfix 2.3
299/* the list of available
300/* features depends on the SASL server implementation that is selected
301/* with \fBsmtpd_sasl_type\fR.
302/* .IP "\fBsmtpd_sender_login_maps (empty)\fR"
303/* Optional lookup table with the SASL login names that own the sender
304/* (MAIL FROM) addresses.
305/* .PP
306/* Available in Postfix version 2.1 and later:
307/* .IP "\fBsmtpd_sasl_exceptions_networks (empty)\fR"
308/* What remote SMTP clients the Postfix SMTP server will not offer
309/* AUTH support to.
310/* .PP
311/* Available in Postfix version 2.1 and 2.2:
312/* .IP "\fBsmtpd_sasl_application_name (smtpd)\fR"
313/* The application name that the Postfix SMTP server uses for SASL
314/* server initialization.
315/* .PP
316/* Available in Postfix version 2.3 and later:
317/* .IP "\fBsmtpd_sasl_authenticated_header (no)\fR"
318/* Report the SASL authenticated user name in the \fBsmtpd\fR(8) Received
319/* message header.
320/* .IP "\fBsmtpd_sasl_path (smtpd)\fR"
321/* Implementation-specific information that the Postfix SMTP server
322/* passes through to
323/* the SASL plug-in implementation that is selected with
324/* \fBsmtpd_sasl_type\fR.
325/* .IP "\fBsmtpd_sasl_type (cyrus)\fR"
326/* The SASL plug-in type that the Postfix SMTP server should use
327/* for authentication.
328/* .PP
329/* Available in Postfix version 2.5 and later:
330/* .IP "\fBcyrus_sasl_config_path (empty)\fR"
331/* Search path for Cyrus SASL application configuration files,
332/* currently used only to locate the $smtpd_sasl_path.conf file.
333/* .PP
334/* Available in Postfix version 2.11 and later:
335/* .IP "\fBsmtpd_sasl_service (smtp)\fR"
336/* The service name that is passed to the SASL plug-in that is
337/* selected with \fBsmtpd_sasl_type\fR and \fBsmtpd_sasl_path\fR.
338/* STARTTLS SUPPORT CONTROLS
339/* .ad
340/* .fi
341/* Detailed information about STARTTLS configuration may be
342/* found in the TLS_README document.
343/* .IP "\fBsmtpd_tls_security_level (empty)\fR"
344/* The SMTP TLS security level for the Postfix SMTP server; when
345/* a non-empty value is specified, this overrides the obsolete parameters
346/* smtpd_use_tls and smtpd_enforce_tls.
347/* .IP "\fBsmtpd_sasl_tls_security_options ($smtpd_sasl_security_options)\fR"
348/* The SASL authentication security options that the Postfix SMTP
349/* server uses for TLS encrypted SMTP sessions.
350/* .IP "\fBsmtpd_starttls_timeout (see 'postconf -d' output)\fR"
351/* The time limit for Postfix SMTP server write and read operations
352/* during TLS startup and shutdown handshake procedures.
353/* .IP "\fBsmtpd_tls_CAfile (empty)\fR"
354/* A file containing (PEM format) CA certificates of root CAs trusted
355/* to sign either remote SMTP client certificates or intermediate CA
356/* certificates.
357/* .IP "\fBsmtpd_tls_CApath (empty)\fR"
358/* A directory containing (PEM format) CA certificates of root CAs
359/* trusted to sign either remote SMTP client certificates or intermediate CA
360/* certificates.
361/* .IP "\fBsmtpd_tls_always_issue_session_ids (yes)\fR"
362/* Force the Postfix SMTP server to issue a TLS session id, even
363/* when TLS session caching is turned off (smtpd_tls_session_cache_database
364/* is empty).
365/* .IP "\fBsmtpd_tls_ask_ccert (no)\fR"
366/* Ask a remote SMTP client for a client certificate.
367/* .IP "\fBsmtpd_tls_auth_only (no)\fR"
368/* When TLS encryption is optional in the Postfix SMTP server, do
369/* not announce or accept SASL authentication over unencrypted
370/* connections.
371/* .IP "\fBsmtpd_tls_ccert_verifydepth (9)\fR"
372/* The verification depth for remote SMTP client certificates.
373/* .IP "\fBsmtpd_tls_cert_file (empty)\fR"
374/* File with the Postfix SMTP server RSA certificate in PEM format.
375/* .IP "\fBsmtpd_tls_exclude_ciphers (empty)\fR"
376/* List of ciphers or cipher types to exclude from the SMTP server
377/* cipher list at all TLS security levels.
378/* .IP "\fBsmtpd_tls_dcert_file (empty)\fR"
379/* File with the Postfix SMTP server DSA certificate in PEM format.
380/* .IP "\fBsmtpd_tls_dh1024_param_file (empty)\fR"
381/* File with DH parameters that the Postfix SMTP server should
382/* use with non-export EDH ciphers.
383/* .IP "\fBsmtpd_tls_dh512_param_file (empty)\fR"
384/* File with DH parameters that the Postfix SMTP server should
385/* use with export-grade EDH ciphers.
386/* .IP "\fBsmtpd_tls_dkey_file ($smtpd_tls_dcert_file)\fR"
387/* File with the Postfix SMTP server DSA private key in PEM format.
388/* .IP "\fBsmtpd_tls_key_file ($smtpd_tls_cert_file)\fR"
389/* File with the Postfix SMTP server RSA private key in PEM format.
390/* .IP "\fBsmtpd_tls_loglevel (0)\fR"
391/* Enable additional Postfix SMTP server logging of TLS activity.
392/* .IP "\fBsmtpd_tls_mandatory_ciphers (medium)\fR"
393/* The minimum TLS cipher grade that the Postfix SMTP server will
394/* use with mandatory TLS encryption.
395/* .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR"
396/* Additional list of ciphers or cipher types to exclude from the
397/* Postfix SMTP server cipher list at mandatory TLS security levels.
398/* .IP "\fBsmtpd_tls_mandatory_protocols (!SSLv2, !SSLv3)\fR"
399/* The SSL/TLS protocols accepted by the Postfix SMTP server with
400/* mandatory TLS encryption.
401/* .IP "\fBsmtpd_tls_received_header (no)\fR"
402/* Request that the Postfix SMTP server produces Received: message
403/* headers that include information about the protocol and cipher used,
404/* as well as the remote SMTP client CommonName and client certificate issuer
405/* CommonName.
406/* .IP "\fBsmtpd_tls_req_ccert (no)\fR"
407/* With mandatory TLS encryption, require a trusted remote SMTP client
408/* certificate in order to allow TLS connections to proceed.
409/* .IP "\fBsmtpd_tls_wrappermode (no)\fR"
410/* Run the Postfix SMTP server in the non-standard "wrapper" mode,
411/* instead of using the STARTTLS command.
412/* .IP "\fBtls_daemon_random_bytes (32)\fR"
413/* The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
414/* process requests from the \fBtlsmgr\fR(8) server in order to seed its
415/* internal pseudo random number generator (PRNG).
416/* .IP "\fBtls_high_cipherlist (see 'postconf -d' output)\fR"
417/* The OpenSSL cipherlist for "high" grade ciphers.
418/* .IP "\fBtls_medium_cipherlist (see 'postconf -d' output)\fR"
419/* The OpenSSL cipherlist for "medium" or higher grade ciphers.
420/* .IP "\fBtls_low_cipherlist (see 'postconf -d' output)\fR"
421/* The OpenSSL cipherlist for "low" or higher grade ciphers.
422/* .IP "\fBtls_export_cipherlist (see 'postconf -d' output)\fR"
423/* The OpenSSL cipherlist for "export" or higher grade ciphers.
424/* .IP "\fBtls_null_cipherlist (eNULL:!aNULL)\fR"
425/* The OpenSSL cipherlist for "NULL" grade ciphers that provide
426/* authentication without encryption.
427/* .PP
428/* Available in Postfix version 2.5 and later:
429/* .IP "\fBsmtpd_tls_fingerprint_digest (md5)\fR"
430/* The message digest algorithm to construct remote SMTP
431/* client-certificate
432/* fingerprints or public key fingerprints (Postfix 2.9 and later)
433/* for \fBcheck_ccert_access\fR and \fBpermit_tls_clientcerts\fR.
434/* .PP
435/* Available in Postfix version 2.6 and later:
436/* .IP "\fBsmtpd_tls_protocols (!SSLv2, !SSLv3)\fR"
437/* List of TLS protocols that the Postfix SMTP server will exclude
438/* or include with opportunistic TLS encryption.
439/* .IP "\fBsmtpd_tls_ciphers (medium)\fR"
440/* The minimum TLS cipher grade that the Postfix SMTP server
441/* will use with opportunistic TLS encryption.
442/* .IP "\fBsmtpd_tls_eccert_file (empty)\fR"
443/* File with the Postfix SMTP server ECDSA certificate in PEM format.
444/* .IP "\fBsmtpd_tls_eckey_file ($smtpd_tls_eccert_file)\fR"
445/* File with the Postfix SMTP server ECDSA private key in PEM format.
446/* .IP "\fBsmtpd_tls_eecdh_grade (see 'postconf -d' output)\fR"
447/* The Postfix SMTP server security grade for ephemeral elliptic-curve
448/* Diffie-Hellman (EECDH) key exchange.
449/* .IP "\fBtls_eecdh_strong_curve (prime256v1)\fR"
450/* The elliptic curve used by the Postfix SMTP server for sensibly
451/* strong
452/* ephemeral ECDH key exchange.
453/* .IP "\fBtls_eecdh_ultra_curve (secp384r1)\fR"
454/* The elliptic curve used by the Postfix SMTP server for maximally
455/* strong
456/* ephemeral ECDH key exchange.
457/* .PP
458/* Available in Postfix version 2.8 and later:
459/* .IP "\fBtls_preempt_cipherlist (no)\fR"
460/* With SSLv3 and later, use the Postfix SMTP server's cipher
461/* preference order instead of the remote client's cipher preference
462/* order.
463/* .IP "\fBtls_disable_workarounds (see 'postconf -d' output)\fR"
464/* List or bit-mask of OpenSSL bug work-arounds to disable.
465/* .PP
466/* Available in Postfix version 2.11 and later:
467/* .IP "\fBtlsmgr_service_name (tlsmgr)\fR"
468/* The name of the \fBtlsmgr\fR(8) service entry in master.cf.
469/* .PP
470/* Available in Postfix version 3.0 and later:
471/* .IP "\fBtls_session_ticket_cipher (Postfix >= 3.0: aes-256-cbc, Postfix < 3.0: aes-128-cbc)\fR"
472/* Algorithm used to encrypt RFC5077 TLS session tickets.
473/* OBSOLETE STARTTLS CONTROLS
474/* .ad
475/* .fi
476/* The following configuration parameters exist for compatibility
477/* with Postfix versions before 2.3. Support for these will
478/* be removed in a future release.
479/* .IP "\fBsmtpd_use_tls (no)\fR"
480/* Opportunistic TLS: announce STARTTLS support to remote SMTP clients,
481/* but do not require that clients use TLS encryption.
482/* .IP "\fBsmtpd_enforce_tls (no)\fR"
483/* Mandatory TLS: announce STARTTLS support to remote SMTP clients,
484/* and require that clients use TLS encryption.
485/* .IP "\fBsmtpd_tls_cipherlist (empty)\fR"
486/* Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS
487/* cipher list.
488/* SMTPUTF8 CONTROLS
489/* .ad
490/* .fi
491/* Preliminary SMTPUTF8 support is introduced with Postfix 3.0.
492/* .IP "\fBsmtputf8_enable (yes)\fR"
493/* Enable preliminary SMTPUTF8 support for the protocols described
494/* in RFC 6531..6533.
495/* .IP "\fBstrict_smtputf8 (no)\fR"
496/* Enable stricter enforcement of the SMTPUTF8 protocol.
497/* .IP "\fBsmtputf8_autodetect_classes (sendmail, verify)\fR"
498/* Detect that a message requires SMTPUTF8 support for the specified
499/* mail origin classes.
500/* VERP SUPPORT CONTROLS
501/* .ad
502/* .fi
503/* With VERP style delivery, each recipient of a message receives a
504/* customized copy of the message with his/her own recipient address
505/* encoded in the envelope sender address. The VERP_README file
506/* describes configuration and operation details of Postfix support
507/* for variable envelope return path addresses. VERP style delivery
508/* is requested with the SMTP XVERP command or with the "sendmail
509/* -V" command-line option and is available in Postfix version 1.1
510/* and later.
511/* .IP "\fBdefault_verp_delimiters (+=)\fR"
512/* The two default VERP delimiter characters.
513/* .IP "\fBverp_delimiter_filter (-=+)\fR"
514/* The characters Postfix accepts as VERP delimiter characters on the
515/* Postfix \fBsendmail\fR(1) command line and in SMTP commands.
516/* .PP
517/* Available in Postfix version 1.1 and 2.0:
518/* .IP "\fBauthorized_verp_clients ($mynetworks)\fR"
519/* What remote SMTP clients are allowed to specify the XVERP command.
520/* .PP
521/* Available in Postfix version 2.1 and later:
522/* .IP "\fBsmtpd_authorized_verp_clients ($authorized_verp_clients)\fR"
523/* What remote SMTP clients are allowed to specify the XVERP command.
524/* TROUBLE SHOOTING CONTROLS
525/* .ad
526/* .fi
527/* The DEBUG_README document describes how to debug parts of the
528/* Postfix mail system. The methods vary from making the software log
529/* a lot of detail, to running some daemon processes under control of
530/* a call tracer or debugger.
531/* .IP "\fBdebug_peer_level (2)\fR"
532/* The increment in verbose logging level when a remote client or
533/* server matches a pattern in the debug_peer_list parameter.
534/* .IP "\fBdebug_peer_list (empty)\fR"
535/* Optional list of remote client or server hostname or network
536/* address patterns that cause the verbose logging level to increase
537/* by the amount specified in $debug_peer_level.
538/* .IP "\fBerror_notice_recipient (postmaster)\fR"
539/* The recipient of postmaster notifications about mail delivery
540/* problems that are caused by policy, resource, software or protocol
541/* errors.
542/* .IP "\fBinternal_mail_filter_classes (empty)\fR"
543/* What categories of Postfix-generated mail are subject to
544/* before-queue content inspection by non_smtpd_milters, header_checks
545/* and body_checks.
546/* .IP "\fBnotify_classes (resource, software)\fR"
547/* The list of error classes that are reported to the postmaster.
548/* .IP "\fBsmtpd_reject_footer (empty)\fR"
549/* Optional information that is appended after each Postfix SMTP
550/* server
551/* 4XX or 5XX response.
552/* .IP "\fBsoft_bounce (no)\fR"
553/* Safety net to keep mail queued that would otherwise be returned to
554/* the sender.
555/* .PP
556/* Available in Postfix version 2.1 and later:
557/* .IP "\fBsmtpd_authorized_xclient_hosts (empty)\fR"
558/* What remote SMTP clients are allowed to use the XCLIENT feature.
559/* .PP
560/* Available in Postfix version 2.10 and later:
561/* .IP "\fBsmtpd_log_access_permit_actions (empty)\fR"
562/* Enable logging of the named "permit" actions in SMTP server
563/* access lists (by default, the SMTP server logs "reject" actions but
564/* not "permit" actions).
565/* KNOWN VERSUS UNKNOWN RECIPIENT CONTROLS
566/* .ad
567/* .fi
568/* As of Postfix version 2.0, the SMTP server rejects mail for
569/* unknown recipients. This prevents the mail queue from clogging up
570/* with undeliverable MAILER-DAEMON messages. Additional information
571/* on this topic is in the LOCAL_RECIPIENT_README and ADDRESS_CLASS_README
572/* documents.
573/* .IP "\fBshow_user_unknown_table_name (yes)\fR"
574/* Display the name of the recipient table in the "User unknown"
575/* responses.
576/* .IP "\fBcanonical_maps (empty)\fR"
577/* Optional address mapping lookup tables for message headers and
578/* envelopes.
579/* .IP "\fBrecipient_canonical_maps (empty)\fR"
580/* Optional address mapping lookup tables for envelope and header
581/* recipient addresses.
582/* .PP
583/* Parameters concerning known/unknown local recipients:
584/* .IP "\fBmydestination ($myhostname, localhost.$mydomain, localhost)\fR"
585/* The list of domains that are delivered via the $local_transport
586/* mail delivery transport.
587/* .IP "\fBinet_interfaces (all)\fR"
588/* The network interface addresses that this mail system receives
589/* mail on.
590/* .IP "\fBproxy_interfaces (empty)\fR"
591/* The network interface addresses that this mail system receives mail
592/* on by way of a proxy or network address translation unit.
593/* .IP "\fBinet_protocols (all)\fR"
594/* The Internet protocols Postfix will attempt to use when making
595/* or accepting connections.
596/* .IP "\fBlocal_recipient_maps (proxy:unix:passwd.byname $alias_maps)\fR"
597/* Lookup tables with all names or addresses of local recipients:
598/* a recipient address is local when its domain matches $mydestination,
599/* $inet_interfaces or $proxy_interfaces.
600/* .IP "\fBunknown_local_recipient_reject_code (550)\fR"
601/* The numerical Postfix SMTP server response code when a recipient
602/* address is local, and $local_recipient_maps specifies a list of
603/* lookup tables that does not match the recipient.
604/* .PP
605/* Parameters concerning known/unknown recipients of relay destinations:
606/* .IP "\fBrelay_domains (Postfix >= 3.0: empty, Postfix < 3.0: $mydestination)\fR"
607/* What destination domains (and subdomains thereof) this system
608/* will relay mail to.
609/* .IP "\fBrelay_recipient_maps (empty)\fR"
610/* Optional lookup tables with all valid addresses in the domains
611/* that match $relay_domains.
612/* .IP "\fBunknown_relay_recipient_reject_code (550)\fR"
613/* The numerical Postfix SMTP server reply code when a recipient
614/* address matches $relay_domains, and relay_recipient_maps specifies
615/* a list of lookup tables that does not match the recipient address.
616/* .PP
617/* Parameters concerning known/unknown recipients in virtual alias
618/* domains:
619/* .IP "\fBvirtual_alias_domains ($virtual_alias_maps)\fR"
620/* Postfix is final destination for the specified list of virtual
621/* alias domains, that is, domains for which all addresses are aliased
622/* to addresses in other local or remote domains.
623/* .IP "\fBvirtual_alias_maps ($virtual_maps)\fR"
624/* Optional lookup tables that alias specific mail addresses or domains
625/* to other local or remote address.
626/* .IP "\fBunknown_virtual_alias_reject_code (550)\fR"
627/* The Postfix SMTP server reply code when a recipient address matches
628/* $virtual_alias_domains, and $virtual_alias_maps specifies a list
629/* of lookup tables that does not match the recipient address.
630/* .PP
631/* Parameters concerning known/unknown recipients in virtual mailbox
632/* domains:
633/* .IP "\fBvirtual_mailbox_domains ($virtual_mailbox_maps)\fR"
634/* Postfix is final destination for the specified list of domains;
635/* mail is delivered via the $virtual_transport mail delivery transport.
636/* .IP "\fBvirtual_mailbox_maps (empty)\fR"
637/* Optional lookup tables with all valid addresses in the domains that
638/* match $virtual_mailbox_domains.
639/* .IP "\fBunknown_virtual_mailbox_reject_code (550)\fR"
640/* The Postfix SMTP server reply code when a recipient address matches
641/* $virtual_mailbox_domains, and $virtual_mailbox_maps specifies a list
642/* of lookup tables that does not match the recipient address.
643/* RESOURCE AND RATE CONTROLS
644/* .ad
645/* .fi
646/* The following parameters limit resource usage by the SMTP
647/* server and/or control client request rates.
648/* .IP "\fBline_length_limit (2048)\fR"
649/* Upon input, long lines are chopped up into pieces of at most
650/* this length; upon delivery, long lines are reconstructed.
651/* .IP "\fBqueue_minfree (0)\fR"
652/* The minimal amount of free space in bytes in the queue file system
653/* that is needed to receive mail.
654/* .IP "\fBmessage_size_limit (10240000)\fR"
655/* The maximal size in bytes of a message, including envelope information.
656/* .IP "\fBsmtpd_recipient_limit (1000)\fR"
657/* The maximal number of recipients that the Postfix SMTP server
658/* accepts per message delivery request.
659/* .IP "\fBsmtpd_timeout (normal: 300s, overload: 10s)\fR"
660/* The time limit for sending a Postfix SMTP server response and for
661/* receiving a remote SMTP client request.
662/* .IP "\fBsmtpd_history_flush_threshold (100)\fR"
663/* The maximal number of lines in the Postfix SMTP server command history
664/* before it is flushed upon receipt of EHLO, RSET, or end of DATA.
665/* .PP
666/* Available in Postfix version 2.3 and later:
667/* .IP "\fBsmtpd_peername_lookup (yes)\fR"
668/* Attempt to look up the remote SMTP client hostname, and verify that
669/* the name matches the client IP address.
670/* .PP
671/* The per SMTP client connection count and request rate limits are
672/* implemented in co-operation with the \fBanvil\fR(8) service, and
673/* are available in Postfix version 2.2 and later.
674/* .IP "\fBsmtpd_client_connection_count_limit (50)\fR"
675/* How many simultaneous connections any client is allowed to
676/* make to this service.
677/* .IP "\fBsmtpd_client_connection_rate_limit (0)\fR"
678/* The maximal number of connection attempts any client is allowed to
679/* make to this service per time unit.
680/* .IP "\fBsmtpd_client_message_rate_limit (0)\fR"
681/* The maximal number of message delivery requests that any client is
682/* allowed to make to this service per time unit, regardless of whether
683/* or not Postfix actually accepts those messages.
684/* .IP "\fBsmtpd_client_recipient_rate_limit (0)\fR"
685/* The maximal number of recipient addresses that any client is allowed
686/* to send to this service per time unit, regardless of whether or not
687/* Postfix actually accepts those recipients.
688/* .IP "\fBsmtpd_client_event_limit_exceptions ($mynetworks)\fR"
689/* Clients that are excluded from smtpd_client_*_count/rate_limit
690/* restrictions.
691/* .PP
692/* Available in Postfix version 2.3 and later:
693/* .IP "\fBsmtpd_client_new_tls_session_rate_limit (0)\fR"
694/* The maximal number of new (i.e., uncached) TLS sessions that a
695/* remote SMTP client is allowed to negotiate with this service per
696/* time unit.
697/* .PP
698/* Available in Postfix version 2.9 and later:
699/* .IP "\fBsmtpd_per_record_deadline (normal: no, overload: yes)\fR"
700/* Change the behavior of the smtpd_timeout and smtpd_starttls_timeout
701/* time limits, from a
702/* time limit per read or write system call, to a time limit to send
703/* or receive a complete record (an SMTP command line, SMTP response
704/* line, SMTP message content line, or TLS protocol message).
705/* .PP
706/* Available in Postfix version 3.1 and later:
707/* .IP "\fBsmtpd_client_auth_rate_limit (0)\fR"
708/* The maximal number of AUTH commands that any client is allowed to
709/* send to this service per time unit, regardless of whether or not
710/* Postfix actually accepts those commands.
711/* TARPIT CONTROLS
712/* .ad
713/* .fi
714/* When a remote SMTP client makes errors, the Postfix SMTP server
715/* can insert delays before responding. This can help to slow down
716/* run-away software. The behavior is controlled by an error counter
717/* that counts the number of errors within an SMTP session that a
718/* client makes without delivering mail.
719/* .IP "\fBsmtpd_error_sleep_time (1s)\fR"
720/* With Postfix version 2.1 and later: the SMTP server response delay after
721/* a client has made more than $smtpd_soft_error_limit errors, and
722/* fewer than $smtpd_hard_error_limit errors, without delivering mail.
723/* .IP "\fBsmtpd_soft_error_limit (10)\fR"
724/* The number of errors a remote SMTP client is allowed to make without
725/* delivering mail before the Postfix SMTP server slows down all its
726/* responses.
727/* .IP "\fBsmtpd_hard_error_limit (normal: 20, overload: 1)\fR"
728/* The maximal number of errors a remote SMTP client is allowed to
729/* make without delivering mail.
730/* .IP "\fBsmtpd_junk_command_limit (normal: 100, overload: 1)\fR"
731/* The number of junk commands (NOOP, VRFY, ETRN or RSET) that a remote
732/* SMTP client can send before the Postfix SMTP server starts to
733/* increment the error counter with each junk command.
734/* .PP
735/* Available in Postfix version 2.1 and later:
736/* .IP "\fBsmtpd_recipient_overshoot_limit (1000)\fR"
737/* The number of recipients that a remote SMTP client can send in
738/* excess of the limit specified with $smtpd_recipient_limit, before
739/* the Postfix SMTP server increments the per-session error count
740/* for each excess recipient.
741/* ACCESS POLICY DELEGATION CONTROLS
742/* .ad
743/* .fi
744/* As of version 2.1, Postfix can be configured to delegate access
745/* policy decisions to an external server that runs outside Postfix.
746/* See the file SMTPD_POLICY_README for more information.
747/* .IP "\fBsmtpd_policy_service_max_idle (300s)\fR"
748/* The time after which an idle SMTPD policy service connection is
749/* closed.
750/* .IP "\fBsmtpd_policy_service_max_ttl (1000s)\fR"
751/* The time after which an active SMTPD policy service connection is
752/* closed.
753/* .IP "\fBsmtpd_policy_service_timeout (100s)\fR"
754/* The time limit for connecting to, writing to, or receiving from a
755/* delegated SMTPD policy server.
756/* .PP
757/* Available in Postfix version 3.0 and later:
758/* .IP "\fBsmtpd_policy_service_default_action (451 4.3.5 Server configuration problem)\fR"
759/* The default action when an SMTPD policy service request fails.
760/* .IP "\fBsmtpd_policy_service_request_limit (0)\fR"
761/* The maximal number of requests per SMTPD policy service connection,
762/* or zero (no limit).
763/* .IP "\fBsmtpd_policy_service_try_limit (2)\fR"
764/* The maximal number of attempts to send an SMTPD policy service
765/* request before giving up.
766/* .IP "\fBsmtpd_policy_service_retry_delay (1s)\fR"
767/* The delay between attempts to resend a failed SMTPD policy
768/* service request.
769/* .PP
770/* Available in Postfix version 3.1 and later:
771/* .IP "\fBsmtpd_policy_service_policy_context (empty)\fR"
772/* Optional information that the Postfix SMTP server specifies in
773/* the "policy_context" attribute of a policy service request (originally,
774/* to share the same service endpoint among multiple check_policy_service
775/* clients).
776/* ACCESS CONTROLS
777/* .ad
778/* .fi
779/* The SMTPD_ACCESS_README document gives an introduction to all the
780/* SMTP server access control features.
781/* .IP "\fBsmtpd_delay_reject (yes)\fR"
782/* Wait until the RCPT TO command before evaluating
783/* $smtpd_client_restrictions, $smtpd_helo_restrictions and
784/* $smtpd_sender_restrictions, or wait until the ETRN command before
785/* evaluating $smtpd_client_restrictions and $smtpd_helo_restrictions.
786/* .IP "\fBparent_domain_matches_subdomains (see 'postconf -d' output)\fR"
787/* A list of Postfix features where the pattern "example.com" also
788/* matches subdomains of example.com,
789/* instead of requiring an explicit ".example.com" pattern.
790/* .IP "\fBsmtpd_client_restrictions (empty)\fR"
791/* Optional restrictions that the Postfix SMTP server applies in the
792/* context of a client connection request.
793/* .IP "\fBsmtpd_helo_required (no)\fR"
794/* Require that a remote SMTP client introduces itself with the HELO
795/* or EHLO command before sending the MAIL command or other commands
796/* that require EHLO negotiation.
797/* .IP "\fBsmtpd_helo_restrictions (empty)\fR"
798/* Optional restrictions that the Postfix SMTP server applies in the
799/* context of a client HELO command.
800/* .IP "\fBsmtpd_sender_restrictions (empty)\fR"
801/* Optional restrictions that the Postfix SMTP server applies in the
802/* context of a client MAIL FROM command.
803/* .IP "\fBsmtpd_recipient_restrictions (see 'postconf -d' output)\fR"
804/* Optional restrictions that the Postfix SMTP server applies in the
805/* context of a client RCPT TO command, after smtpd_relay_restrictions.
806/* .IP "\fBsmtpd_etrn_restrictions (empty)\fR"
807/* Optional restrictions that the Postfix SMTP server applies in the
808/* context of a client ETRN command.
809/* .IP "\fBallow_untrusted_routing (no)\fR"
810/* Forward mail with sender-specified routing (user[@%!]remote[@%!]site)
811/* from untrusted clients to destinations matching $relay_domains.
812/* .IP "\fBsmtpd_restriction_classes (empty)\fR"
813/* User-defined aliases for groups of access restrictions.
814/* .IP "\fBsmtpd_null_access_lookup_key (<>)\fR"
815/* The lookup key to be used in SMTP \fBaccess\fR(5) tables instead of the
816/* null sender address.
817/* .IP "\fBpermit_mx_backup_networks (empty)\fR"
818/* Restrict the use of the permit_mx_backup SMTP access feature to
819/* only domains whose primary MX hosts match the listed networks.
820/* .PP
821/* Available in Postfix version 2.0 and later:
822/* .IP "\fBsmtpd_data_restrictions (empty)\fR"
823/* Optional access restrictions that the Postfix SMTP server applies
824/* in the context of the SMTP DATA command.
825/* .IP "\fBsmtpd_expansion_filter (see 'postconf -d' output)\fR"
826/* What characters are allowed in $name expansions of RBL reply
827/* templates.
828/* .PP
829/* Available in Postfix version 2.1 and later:
830/* .IP "\fBsmtpd_reject_unlisted_sender (no)\fR"
831/* Request that the Postfix SMTP server rejects mail from unknown
832/* sender addresses, even when no explicit reject_unlisted_sender
833/* access restriction is specified.
834/* .IP "\fBsmtpd_reject_unlisted_recipient (yes)\fR"
835/* Request that the Postfix SMTP server rejects mail for unknown
836/* recipient addresses, even when no explicit reject_unlisted_recipient
837/* access restriction is specified.
838/* .PP
839/* Available in Postfix version 2.2 and later:
840/* .IP "\fBsmtpd_end_of_data_restrictions (empty)\fR"
841/* Optional access restrictions that the Postfix SMTP server
842/* applies in the context of the SMTP END-OF-DATA command.
843/* .PP
844/* Available in Postfix version 2.10 and later:
845/* .IP "\fBsmtpd_relay_restrictions (permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination)\fR"
846/* Access restrictions for mail relay control that the Postfix
847/* SMTP server applies in the context of the RCPT TO command, before
848/* smtpd_recipient_restrictions.
849/* SENDER AND RECIPIENT ADDRESS VERIFICATION CONTROLS
850/* .ad
851/* .fi
852/* Postfix version 2.1 introduces sender and recipient address verification.
853/* This feature is implemented by sending probe email messages that
854/* are not actually delivered.
855/* This feature is requested via the reject_unverified_sender and
856/* reject_unverified_recipient access restrictions. The status of
857/* verification probes is maintained by the \fBverify\fR(8) server.
858/* See the file ADDRESS_VERIFICATION_README for information
859/* about how to configure and operate the Postfix sender/recipient
860/* address verification service.
861/* .IP "\fBaddress_verify_poll_count (normal: 3, overload: 1)\fR"
862/* How many times to query the \fBverify\fR(8) service for the completion
863/* of an address verification request in progress.
864/* .IP "\fBaddress_verify_poll_delay (3s)\fR"
865/* The delay between queries for the completion of an address
866/* verification request in progress.
867/* .IP "\fBaddress_verify_sender ($double_bounce_sender)\fR"
868/* The sender address to use in address verification probes; prior
869/* to Postfix 2.5 the default was "postmaster".
870/* .IP "\fBunverified_sender_reject_code (450)\fR"
871/* The numerical Postfix SMTP server response code when a recipient
872/* address is rejected by the reject_unverified_sender restriction.
873/* .IP "\fBunverified_recipient_reject_code (450)\fR"
874/* The numerical Postfix SMTP server response when a recipient address
875/* is rejected by the reject_unverified_recipient restriction.
876/* .PP
877/* Available in Postfix version 2.6 and later:
878/* .IP "\fBunverified_sender_defer_code (450)\fR"
879/* The numerical Postfix SMTP server response code when a sender address
880/* probe fails due to a temporary error condition.
881/* .IP "\fBunverified_recipient_defer_code (450)\fR"
882/* The numerical Postfix SMTP server response when a recipient address
883/* probe fails due to a temporary error condition.
884/* .IP "\fBunverified_sender_reject_reason (empty)\fR"
885/* The Postfix SMTP server's reply when rejecting mail with
886/* reject_unverified_sender.
887/* .IP "\fBunverified_recipient_reject_reason (empty)\fR"
888/* The Postfix SMTP server's reply when rejecting mail with
889/* reject_unverified_recipient.
890/* .IP "\fBunverified_sender_tempfail_action ($reject_tempfail_action)\fR"
891/* The Postfix SMTP server's action when reject_unverified_sender
892/* fails due to a temporary error condition.
893/* .IP "\fBunverified_recipient_tempfail_action ($reject_tempfail_action)\fR"
894/* The Postfix SMTP server's action when reject_unverified_recipient
895/* fails due to a temporary error condition.
896/* .PP
897/* Available with Postfix 2.9 and later:
898/* .IP "\fBaddress_verify_sender_ttl (0s)\fR"
899/* The time between changes in the time-dependent portion of address
900/* verification probe sender addresses.
901/* ACCESS CONTROL RESPONSES
902/* .ad
903/* .fi
904/* The following parameters control numerical SMTP reply codes
905/* and/or text responses.
906/* .IP "\fBaccess_map_reject_code (554)\fR"
907/* The numerical Postfix SMTP server response code for
908/* an \fBaccess\fR(5) map "reject" action.
909/* .IP "\fBdefer_code (450)\fR"
910/* The numerical Postfix SMTP server response code when a remote SMTP
911/* client request is rejected by the "defer" restriction.
912/* .IP "\fBinvalid_hostname_reject_code (501)\fR"
913/* The numerical Postfix SMTP server response code when the client
914/* HELO or EHLO command parameter is rejected by the reject_invalid_helo_hostname
915/* restriction.
916/* .IP "\fBmaps_rbl_reject_code (554)\fR"
917/* The numerical Postfix SMTP server response code when a remote SMTP
918/* client request is blocked by the reject_rbl_client, reject_rhsbl_client,
919/* reject_rhsbl_reverse_client, reject_rhsbl_sender or
920/* reject_rhsbl_recipient restriction.
921/* .IP "\fBnon_fqdn_reject_code (504)\fR"
922/* The numerical Postfix SMTP server reply code when a client request
923/* is rejected by the reject_non_fqdn_helo_hostname, reject_non_fqdn_sender
924/* or reject_non_fqdn_recipient restriction.
925/* .IP "\fBplaintext_reject_code (450)\fR"
926/* The numerical Postfix SMTP server response code when a request
927/* is rejected by the \fBreject_plaintext_session\fR restriction.
928/* .IP "\fBreject_code (554)\fR"
929/* The numerical Postfix SMTP server response code when a remote SMTP
930/* client request is rejected by the "reject" restriction.
931/* .IP "\fBrelay_domains_reject_code (554)\fR"
932/* The numerical Postfix SMTP server response code when a client
933/* request is rejected by the reject_unauth_destination recipient
934/* restriction.
935/* .IP "\fBunknown_address_reject_code (450)\fR"
936/* The numerical response code when the Postfix SMTP server rejects a
937/* sender or recipient address because its domain is unknown.
938/* .IP "\fBunknown_client_reject_code (450)\fR"
939/* The numerical Postfix SMTP server response code when a client
940/* without valid address <=> name mapping is rejected by the
941/* reject_unknown_client_hostname restriction.
942/* .IP "\fBunknown_hostname_reject_code (450)\fR"
943/* The numerical Postfix SMTP server response code when the hostname
944/* specified with the HELO or EHLO command is rejected by the
945/* reject_unknown_helo_hostname restriction.
946/* .PP
947/* Available in Postfix version 2.0 and later:
948/* .IP "\fBdefault_rbl_reply (see 'postconf -d' output)\fR"
949/* The default Postfix SMTP server response template for a request that is
950/* rejected by an RBL-based restriction.
951/* .IP "\fBmulti_recipient_bounce_reject_code (550)\fR"
952/* The numerical Postfix SMTP server response code when a remote SMTP
953/* client request is blocked by the reject_multi_recipient_bounce
954/* restriction.
955/* .IP "\fBrbl_reply_maps (empty)\fR"
956/* Optional lookup tables with RBL response templates.
957/* .PP
958/* Available in Postfix version 2.6 and later:
959/* .IP "\fBaccess_map_defer_code (450)\fR"
960/* The numerical Postfix SMTP server response code for
961/* an \fBaccess\fR(5) map "defer" action, including "defer_if_permit"
962/* or "defer_if_reject".
963/* .IP "\fBreject_tempfail_action (defer_if_permit)\fR"
964/* The Postfix SMTP server's action when a reject-type restriction
965/* fails due to a temporary error condition.
966/* .IP "\fBunknown_helo_hostname_tempfail_action ($reject_tempfail_action)\fR"
967/* The Postfix SMTP server's action when reject_unknown_helo_hostname
968/* fails due to an temporary error condition.
969/* .IP "\fBunknown_address_tempfail_action ($reject_tempfail_action)\fR"
970/* The Postfix SMTP server's action when reject_unknown_sender_domain
971/* or reject_unknown_recipient_domain fail due to a temporary error
972/* condition.
973/* MISCELLANEOUS CONTROLS
974/* .ad
975/* .fi
976/* .IP "\fBconfig_directory (see 'postconf -d' output)\fR"
977/* The default location of the Postfix main.cf and master.cf
978/* configuration files.
979/* .IP "\fBdaemon_timeout (18000s)\fR"
980/* How much time a Postfix daemon process may take to handle a
981/* request before it is terminated by a built-in watchdog timer.
982/* .IP "\fBcommand_directory (see 'postconf -d' output)\fR"
983/* The location of all postfix administrative commands.
984/* .IP "\fBdouble_bounce_sender (double-bounce)\fR"
985/* The sender address of postmaster notifications that are generated
986/* by the mail system.
987/* .IP "\fBipc_timeout (3600s)\fR"
988/* The time limit for sending or receiving information over an internal
989/* communication channel.
990/* .IP "\fBmail_name (Postfix)\fR"
991/* The mail system name that is displayed in Received: headers, in
992/* the SMTP greeting banner, and in bounced mail.
993/* .IP "\fBmail_owner (postfix)\fR"
994/* The UNIX system account that owns the Postfix queue and most Postfix
995/* daemon processes.
996/* .IP "\fBmax_idle (100s)\fR"
997/* The maximum amount of time that an idle Postfix daemon process waits
998/* for an incoming connection before terminating voluntarily.
999/* .IP "\fBmax_use (100)\fR"
1000/* The maximal number of incoming connections that a Postfix daemon
1001/* process will service before terminating voluntarily.
1002/* .IP "\fBmyhostname (see 'postconf -d' output)\fR"
1003/* The internet hostname of this mail system.
1004/* .IP "\fBmynetworks (see 'postconf -d' output)\fR"
1005/* The list of "trusted" remote SMTP clients that have more privileges than
1006/* "strangers".
1007/* .IP "\fBmyorigin ($myhostname)\fR"
1008/* The domain name that locally-posted mail appears to come
1009/* from, and that locally posted mail is delivered to.
1010/* .IP "\fBprocess_id (read-only)\fR"
1011/* The process ID of a Postfix command or daemon process.
1012/* .IP "\fBprocess_name (read-only)\fR"
1013/* The process name of a Postfix command or daemon process.
1014/* .IP "\fBqueue_directory (see 'postconf -d' output)\fR"
1015/* The location of the Postfix top-level queue directory.
1016/* .IP "\fBrecipient_delimiter (empty)\fR"
1017/* The set of characters that can separate a user name from its
1018/* extension (example: user+foo), or a .forward file name from its
1019/* extension (example: .forward+foo).
1020/* .IP "\fBsmtpd_banner ($myhostname ESMTP $mail_name)\fR"
1021/* The text that follows the 220 status code in the SMTP greeting
1022/* banner.
1023/* .IP "\fBsyslog_facility (mail)\fR"
1024/* The syslog facility of Postfix logging.
1025/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
1026/* The mail system name that is prepended to the process name in syslog
1027/* records, so that "smtpd" becomes, for example, "postfix/smtpd".
1028/* .PP
1029/* Available in Postfix version 2.2 and later:
1030/* .IP "\fBsmtpd_forbidden_commands (CONNECT, GET, POST)\fR"
1031/* List of commands that cause the Postfix SMTP server to immediately
1032/* terminate the session with a 221 code.
1033/* .PP
1034/* Available in Postfix version 2.5 and later:
1035/* .IP "\fBsmtpd_client_port_logging (no)\fR"
1036/* Enable logging of the remote SMTP client port in addition to
1037/* the hostname and IP address.
1038/* SEE ALSO
1039/* anvil(8), connection/rate limiting
1040/* cleanup(8), message canonicalization
1041/* tlsmgr(8), TLS session and PRNG management
1042/* trivial-rewrite(8), address resolver
1043/* verify(8), address verification service
1044/* postconf(5), configuration parameters
1045/* master(5), generic daemon options
1046/* master(8), process manager
1047/* syslogd(8), system logging
1048/* README FILES
1049/* .ad
1050/* .fi
1051/* Use "\fBpostconf readme_directory\fR" or
1052/* "\fBpostconf html_directory\fR" to locate this information.
1053/* .na
1054/* .nf
1055/* ADDRESS_CLASS_README, blocking unknown hosted or relay recipients
1056/* ADDRESS_REWRITING_README Postfix address manipulation
1057/* FILTER_README, external after-queue content filter
1058/* LOCAL_RECIPIENT_README, blocking unknown local recipients
1059/* MILTER_README, before-queue mail filter applications
1060/* SMTPD_ACCESS_README, built-in access policies
1061/* SMTPD_POLICY_README, external policy server
1062/* SMTPD_PROXY_README, external before-queue content filter
1063/* SASL_README, Postfix SASL howto
1064/* TLS_README, Postfix STARTTLS howto
1065/* VERP_README, Postfix XVERP extension
1066/* XCLIENT_README, Postfix XCLIENT extension
1067/* XFORWARD_README, Postfix XFORWARD extension
1068/* LICENSE
1069/* .ad
1070/* .fi
1071/* The Secure Mailer license must be distributed with this software.
1072/* AUTHOR(S)
1073/* Wietse Venema
1074/* IBM T.J. Watson Research
1075/* P.O. Box 704
1076/* Yorktown Heights, NY 10598, USA
1077/*
1078/* Wietse Venema
1079/* Google, Inc.
1080/* 111 8th Avenue
1081/* New York, NY 10011, USA
1082/*
1083/* SASL support originally by:
1084/* Till Franke
1085/* SuSE Rhein/Main AG
1086/* 65760 Eschborn, Germany
1087/*
1088/* TLS support originally by:
1089/* Lutz Jaenicke
1090/* BTU Cottbus
1091/* Allgemeine Elektrotechnik
1092/* Universitaetsplatz 3-4
1093/* D-03044 Cottbus, Germany
1094/*
1095/* Revised TLS support by:
1096/* Victor Duchovni
1097/* Morgan Stanley
1098/*--*/
1099
1100/* System library. */
1101
1102#include <sys_defs.h>
1103#include <sys/socket.h>
1104#include <sys/stat.h>
1105#include <netinet/in.h>
1106#include <arpa/inet.h>
1107#include <netdb.h>
1108#include <string.h>
1109#include <stdio.h> /* remove() */
1110#include <unistd.h>
1111#include <stdlib.h>
1112#include <errno.h>
1113#include <ctype.h>
1114#include <signal.h>
1115#include <stddef.h> /* offsetof() */
1116
1117#ifdef STRCASECMP_IN_STRINGS_H
1118#include <strings.h>
1119#endif
1120
1121/* Utility library. */
1122
1123#include <msg.h>
1124#include <mymalloc.h>
1125#include <vstring.h>
1126#include <vstream.h>
1127#include <vstring_vstream.h>
1128#include <stringops.h>
1129#include <events.h>
1130#include <smtp_stream.h>
1131#include <valid_hostname.h>
1132#include <dict.h>
1133#include <watchdog.h>
1134#include <iostuff.h>
1135#include <split_at.h>
1136#include <name_code.h>
1137#include <inet_proto.h>
1138
1139/* Global library. */
1140
1141#include <mail_params.h>
1142#include <mail_version.h> /* milter_macro_v */
1143#include <record.h>
1144#include <rec_type.h>
1145#include <mail_proto.h>
1146#include <cleanup_user.h>
1147#include <mail_date.h>
1148#include <mail_conf.h>
1149#include <off_cvt.h>
1150#include <debug_peer.h>
1151#include <mail_error.h>
1152#include <flush_clnt.h>
1153#include <mail_stream.h>
1154#include <mail_queue.h>
1155#include <tok822.h>
1156#include <verp_sender.h>
1157#include <string_list.h>
1158#include <quote_822_local.h>
1159#include <lex_822.h>
1160#include <namadr_list.h>
1161#include <input_transp.h>
1162#include <is_header.h>
1163#include <anvil_clnt.h>
1164#include <flush_clnt.h>
1165#include <ehlo_mask.h> /* ehlo filter */
1166#include <maps.h> /* ehlo filter */
1167#include <valid_mailhost_addr.h>
1168#include <dsn_mask.h>
1169#include <xtext.h>
1170#include <uxtext.h>
1171#include <tls_proxy.h>
1172#include <verify_sender_addr.h>
1173#include <smtputf8.h>
1174#include <match_parent_style.h>
1175
1176/* Single-threaded server skeleton. */
1177
1178#include <mail_server.h>
1179
1180/* Mail filter library. */
1181
1182#include <milter.h>
1183
1184/* DNS library. */
1185
1186#include <dns.h>
1187
1188/* Application-specific */
1189
1190#include <smtpd_token.h>
1191#include <smtpd.h>
1192#include <smtpd_check.h>
1193#include <smtpd_chat.h>
1194#include <smtpd_sasl_proto.h>
1195#include <smtpd_sasl_glue.h>
1196#include <smtpd_proxy.h>
1197#include <smtpd_milter.h>
1198#include <smtpd_expand.h>
1199
1200#include "pfilter.h"
1201
1202 /*
1203 * Tunable parameters. Make sure that there is some bound on the length of
1204 * an SMTP command, so that the mail system stays in control even when a
1205 * malicious client sends commands of unreasonable length (qmail-dos-1).
1206 * Make sure there is some bound on the number of recipients, so that the
1207 * mail system stays in control even when a malicious client sends an
1208 * unreasonable number of recipients (qmail-dos-2).
1209 */
1210int var_smtpd_rcpt_limit;
1211int var_smtpd_tmout;
1212int var_smtpd_soft_erlim;
1213int var_smtpd_hard_erlim;
1214int var_queue_minfree; /* XXX use off_t */
1215char *var_smtpd_banner;
1216char *var_notify_classes;
1217char *var_client_checks;
1218char *var_helo_checks;
1219char *var_mail_checks;
1220char *var_relay_checks;
1221char *var_rcpt_checks;
1222char *var_etrn_checks;
1223char *var_data_checks;
1224char *var_eod_checks;
1225int var_unk_client_code;
1226int var_bad_name_code;
1227int var_unk_name_code;
1228int var_unk_addr_code;
1229int var_relay_code;
1230int var_maps_rbl_code;
1231int var_map_reject_code;
1232int var_map_defer_code;
1233char *var_maps_rbl_domains;
1234char *var_rbl_reply_maps;
1235int var_helo_required;
1236int var_reject_code;
1237int var_defer_code;
1238int var_smtpd_err_sleep;
1239int var_non_fqdn_code;
1240char *var_error_rcpt;
1241int var_smtpd_delay_reject;
1242char *var_rest_classes;
1243int var_strict_rfc821_env;
1244bool var_disable_vrfy_cmd;
1245char *var_canonical_maps;
1246char *var_send_canon_maps;
1247char *var_rcpt_canon_maps;
1248char *var_virt_alias_maps;
1249char *var_virt_mailbox_maps;
1250char *var_alias_maps;
1251char *var_local_rcpt_maps;
1252bool var_allow_untrust_route;
1253int var_smtpd_junk_cmd_limit;
1254int var_smtpd_rcpt_overlim;
1255bool var_smtpd_sasl_enable;
1256bool var_smtpd_sasl_auth_hdr;
1257char *var_smtpd_sasl_opts;
1258char *var_smtpd_sasl_path;
1259char *var_smtpd_sasl_service;
1260char *var_cyrus_conf_path;
1261char *var_smtpd_sasl_realm;
1262char *var_smtpd_sasl_exceptions_networks;
1263char *var_smtpd_sasl_type;
1264char *var_filter_xport;
1265bool var_broken_auth_clients;
1266char *var_perm_mx_networks;
1267char *var_smtpd_snd_auth_maps;
1268char *var_smtpd_noop_cmds;
1269char *var_smtpd_null_key;
1270int var_smtpd_hist_thrsh;
1271char *var_smtpd_exp_filter;
1272char *var_def_rbl_reply;
1273int var_unv_from_rcode;
1274int var_unv_rcpt_rcode;
1275int var_unv_from_dcode;
1276int var_unv_rcpt_dcode;
1277char *var_unv_from_why;
1278char *var_unv_rcpt_why;
1279int var_mul_rcpt_code;
1280char *var_relay_rcpt_maps;
1281int var_local_rcpt_code;
1282int var_virt_alias_code;
1283int var_virt_mailbox_code;
1284int var_relay_rcpt_code;
1285char *var_verp_clients;
1286int var_show_unk_rcpt_table;
1287int var_verify_poll_count;
1288int var_verify_poll_delay;
1289char *var_smtpd_proxy_filt;
1290int var_smtpd_proxy_tmout;
1291char *var_smtpd_proxy_ehlo;
1292char *var_smtpd_proxy_opts;
1293char *var_input_transp;
1294int var_smtpd_policy_tmout;
1295int var_smtpd_policy_req_limit;
1296int var_smtpd_policy_try_limit;
1297int var_smtpd_policy_try_delay;
1298char *var_smtpd_policy_def_action;
1299char *var_smtpd_policy_context;
1300int var_smtpd_policy_idle;
1301int var_smtpd_policy_ttl;
1302char *var_xclient_hosts;
1303char *var_xforward_hosts;
1304bool var_smtpd_rej_unl_from;
1305bool var_smtpd_rej_unl_rcpt;
1306char *var_smtpd_forbid_cmds;
1307int var_smtpd_crate_limit;
1308int var_smtpd_cconn_limit;
1309int var_smtpd_cmail_limit;
1310int var_smtpd_crcpt_limit;
1311int var_smtpd_cntls_limit;
1312int var_smtpd_cauth_limit;
1313char *var_smtpd_hoggers;
1314char *var_local_rwr_clients;
1315char *var_smtpd_ehlo_dis_words;
1316char *var_smtpd_ehlo_dis_maps;
1317
1318char *var_smtpd_tls_level;
1319bool var_smtpd_use_tls;
1320bool var_smtpd_enforce_tls;
1321bool var_smtpd_tls_wrappermode;
1322bool var_smtpd_tls_auth_only;
1323char *var_smtpd_cmd_filter;
1324char *var_smtpd_rej_footer;
1325char *var_smtpd_acl_perm_log;
1326char *var_smtpd_dns_re_filter;
1327
1328#ifdef USE_TLS
1329char *var_smtpd_relay_ccerts;
1330char *var_smtpd_sasl_tls_opts;
1331int var_smtpd_starttls_tmout;
1332char *var_smtpd_tls_CAfile;
1333char *var_smtpd_tls_CApath;
1334bool var_smtpd_tls_ask_ccert;
1335int var_smtpd_tls_ccert_vd;
1336char *var_smtpd_tls_cert_file;
1337char *var_smtpd_tls_mand_ciph;
1338char *var_smtpd_tls_excl_ciph;
1339char *var_smtpd_tls_mand_excl;
1340char *var_smtpd_tls_dcert_file;
1341char *var_smtpd_tls_dh1024_param_file;
1342char *var_smtpd_tls_dh512_param_file;
1343char *var_smtpd_tls_dkey_file;
1344char *var_smtpd_tls_key_file;
1345char *var_smtpd_tls_loglevel;
1346char *var_smtpd_tls_mand_proto;
1347bool var_smtpd_tls_received_header;
1348bool var_smtpd_tls_req_ccert;
1349bool var_smtpd_tls_set_sessid;
1350char *var_smtpd_tls_fpt_dgst;
1351char *var_smtpd_tls_ciph;
1352char *var_smtpd_tls_proto;
1353char *var_smtpd_tls_eecdh;
1354char *var_smtpd_tls_eccert_file;
1355char *var_smtpd_tls_eckey_file;
1356
1357#endif
1358
1359bool var_smtpd_peername_lookup;
1360int var_plaintext_code;
1361bool var_smtpd_delay_open;
1362char *var_smtpd_milters;
1363int var_milt_conn_time;
1364int var_milt_cmd_time;
1365int var_milt_msg_time;
1366char *var_milt_protocol;
1367char *var_milt_def_action;
1368char *var_milt_daemon_name;
1369char *var_milt_v;
1370char *var_milt_conn_macros;
1371char *var_milt_helo_macros;
1372char *var_milt_mail_macros;
1373char *var_milt_rcpt_macros;
1374char *var_milt_data_macros;
1375char *var_milt_eoh_macros;
1376char *var_milt_eod_macros;
1377char *var_milt_unk_macros;
1378char *var_milt_macro_deflts;
1379bool var_smtpd_client_port_log;
1380char *var_stress;
1381
1382char *var_reject_tmpf_act;
1383char *var_unk_name_tf_act;
1384char *var_unk_addr_tf_act;
1385char *var_unv_rcpt_tf_act;
1386char *var_unv_from_tf_act;
1387bool var_smtpd_rec_deadline;
1388
1389int smtpd_proxy_opts;
1390
1391#ifdef USE_TLSPROXY
1392char *var_tlsproxy_service;
1393
1394#endif
1395
1396char *var_smtpd_uproxy_proto;
1397int var_smtpd_uproxy_tmout;
1398
1399 /*
1400 * Silly little macros.
1401 */
1402#define STR(x) vstring_str(x)
1403#define LEN(x) VSTRING_LEN(x)
1404
1405 /*
1406 * EHLO keyword filter
1407 */
1408static MAPS *ehlo_discard_maps;
1409
1410 /*
1411 * VERP command name.
1412 */
1413#define VERP_CMD "XVERP"
1414#define VERP_CMD_LEN 5
1415
1416static NAMADR_LIST *verp_clients;
1417
1418 /*
1419 * XCLIENT command. Access control is cached, so that XCLIENT can't override
1420 * its own access control.
1421 */
1422static NAMADR_LIST *xclient_hosts;
1423static int xclient_allowed; /* XXX should be SMTPD_STATE member */
1424
1425 /*
1426 * XFORWARD command. Access control is cached.
1427 */
1428static NAMADR_LIST *xforward_hosts;
1429static int xforward_allowed; /* XXX should be SMTPD_STATE member */
1430
1431 /*
1432 * Client connection and rate limiting.
1433 */
1434ANVIL_CLNT *anvil_clnt;
1435static NAMADR_LIST *hogger_list;
1436
1437 /*
1438 * Other application-specific globals.
1439 */
1440int smtpd_input_transp_mask;
1441
1442 /*
1443 * Forward declarations.
1444 */
1445static void helo_reset(SMTPD_STATE *);
1446static void mail_reset(SMTPD_STATE *);
1447static void rcpt_reset(SMTPD_STATE *);
1448static void chat_reset(SMTPD_STATE *, int);
1449
1450#ifdef USE_TLS
1451static void tls_reset(SMTPD_STATE *);
1452
1453#endif
1454
1455 /*
1456 * This filter is applied after printable().
1457 */
1458#define NEUTER_CHARACTERS " <>()\\\";@"
1459
1460 /*
1461 * Reasons for losing the client.
1462 */
1463#define REASON_TIMEOUT "timeout"
1464#define REASON_LOST_CONNECTION "lost connection"
1465#define REASON_ERROR_LIMIT "too many errors"
1466
1467 /*
1468 * Mail filter initialization status.
1469 */
1470MILTERS *smtpd_milters;
1471
1472#ifdef USE_TLS
1473
1474 /*
1475 * TLS initialization status.
1476 */
1477static TLS_APPL_STATE *smtpd_tls_ctx;
1478static int ask_client_cert;
1479
1480#endif
1481
1482 /*
1483 * SMTP command mapping for broken clients.
1484 */
1485static DICT *smtpd_cmd_filter;
1486
1487#ifdef USE_SASL_AUTH
1488
1489 /*
1490 * SASL exceptions.
1491 */
1492static NAMADR_LIST *sasl_exceptions_networks;
1493
1494/* sasl_client_exception - can we offer AUTH for this client */
1495
1496static int sasl_client_exception(SMTPD_STATE *state)
1497{
1498 int match;
1499
1500 /*
1501 * This is to work around a Netscape mail client bug where it tries to
1502 * use AUTH if available, even if user has not configured it. Returns
1503 * TRUE if AUTH should be offered in the EHLO.
1504 */
1505 if (sasl_exceptions_networks == 0)
1506 return (0);
1507
1508 if ((match = namadr_list_match(sasl_exceptions_networks,
1509 state->name, state->addr)) == 0)
1510 match = sasl_exceptions_networks->error;
1511
1512 if (msg_verbose)
1513 msg_info("sasl_exceptions: %s, match=%d",
1514 state->namaddr, match);
1515
1516 return (match);
1517}
1518
1519#endif
1520
1521/* smtpd_whatsup - gather available evidence for logging */
1522
1523static const char *smtpd_whatsup(SMTPD_STATE *state)
1524{
1525 static VSTRING *buf = 0;
1526
1527 if (buf == 0)
1528 buf = vstring_alloc(100);
1529 else
1530 VSTRING_RESET(buf);
1531 if (state->sender)
1532 vstring_sprintf_append(buf, " from=<%s>", state->sender);
1533 if (state->recipient)
1534 vstring_sprintf_append(buf, " to=<%s>", state->recipient);
1535 if (state->protocol)
1536 vstring_sprintf_append(buf, " proto=%s", state->protocol);
1537 if (state->helo_name)
1538 vstring_sprintf_append(buf, " helo=<%s>", state->helo_name);
1539 return (STR(buf));
1540}
1541
1542/* collapse_args - put arguments together again */
1543
1544static void collapse_args(int argc, SMTPD_TOKEN *argv)
1545{
1546 int i;
1547
1548 for (i = 1; i < argc; i++) {
1549 vstring_strcat(argv[0].vstrval, " ");
1550 vstring_strcat(argv[0].vstrval, argv[i].strval);
1551 }
1552 argv[0].strval = STR(argv[0].vstrval);
1553}
1554
1555/* check_milter_reply - process reply from Milter */
1556
1557static const char *check_milter_reply(SMTPD_STATE *state, const char *reply)
1558{
1559 const char *queue_id = state->queue_id ? state->queue_id : "NOQUEUE";
1560 const char *action;
1561 const char *text;
1562
1563 /*
1564 * The syntax of user-specified SMTP replies is checked by the Milter
1565 * module, because the replies are also used in the cleanup server.
1566 * Automatically disconnect after 421 (shutdown) reply. The Sendmail 8
1567 * Milter quarantine action is not final, so it is not included in
1568 * MILTER_SKIP_FLAGS.
1569 */
1570#define MILTER_SKIP_FLAGS (CLEANUP_FLAG_DISCARD)
1571
1572 switch (reply[0]) {
1573 case 'H':
1574 state->saved_flags |= CLEANUP_FLAG_HOLD;
1575 action = "milter-hold";
1576 reply = 0;
1577 text = "milter triggers HOLD action";
1578 break;
1579 case 'D':
1580 state->saved_flags |= CLEANUP_FLAG_DISCARD;
1581 action = "milter-discard";
1582 reply = 0;
1583 text = "milter triggers DISCARD action";
1584 break;
1585 case 'S':
1586 state->error_mask |= MAIL_ERROR_POLICY;
1587 action = "milter-reject";
1588 reply = "421 4.7.0 Server closing connection";
1589 text = 0;
1590 break;
1591 case '4':
1592 case '5':
1593 state->error_mask |= MAIL_ERROR_POLICY;
1594 action = "milter-reject";
1595 text = 0;
1596 break;
1597 default:
1598 state->error_mask |= MAIL_ERROR_SOFTWARE;
1599 action = "reject";
1600 reply = "421 4.3.5 Server configuration error";
1601 text = 0;
1602 break;
1603 }
1604 msg_info("%s: %s: %s from %s: %s;%s", queue_id, action, state->where,
1605 state->namaddr, reply ? reply : text, smtpd_whatsup(state));
1606 return (reply);
1607}
1608
1609/* helo_cmd - process HELO command */
1610
1611static int helo_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
1612{
1613 const char *err;
1614
1615 /*
1616 * RFC 2034: the text part of all 2xx, 4xx, and 5xx SMTP responses other
1617 * than the initial greeting and any response to HELO or EHLO are
1618 * prefaced with a status code as defined in RFC 3463.
1619 */
1620 if (argc < 2) {
1621 state->error_mask |= MAIL_ERROR_PROTOCOL;
1622 smtpd_chat_reply(state, "501 Syntax: HELO hostname");
1623 return (-1);
1624 }
1625 if (argc > 2)
1626 collapse_args(argc - 1, argv + 1);
1627 if (SMTPD_STAND_ALONE(state) == 0
1628 && var_smtpd_delay_reject == 0
1629 && (err = smtpd_check_helo(state, argv[1].strval)) != 0) {
1630 smtpd_chat_reply(state, "%s", err);
1631 return (-1);
1632 }
1633
1634 /*
1635 * XXX Sendmail compatibility: if a Milter rejects CONNECT, EHLO, or
1636 * HELO, reply with 250 except in case of 421 (disconnect). The reply
1637 * persists so it will apply to MAIL FROM and to other commands such as
1638 * AUTH, STARTTLS, and VRFY.
1639 */
1640#define PUSH_STRING(old, curr, new) { char *old = (curr); (curr) = (new);
1641#define POP_STRING(old, curr) (curr) = old; }
1642
1643 if (smtpd_milters != 0
1644 && SMTPD_STAND_ALONE(state) == 0
1645 && (state->saved_flags & MILTER_SKIP_FLAGS) == 0
1646 && (err = milter_helo_event(smtpd_milters, argv[1].strval, 0)) != 0) {
1647 /* Log reject etc. with correct HELO information. */
1648 PUSH_STRING(saved_helo, state->helo_name, argv[1].strval);
1649 err = check_milter_reply(state, err);
1650 POP_STRING(saved_helo, state->helo_name);
1651 if (err != 0 && strncmp(err, "421", 3) == 0) {
1652 smtpd_chat_reply(state, "%s", err);
1653 return (-1);
1654 }
1655 }
1656 if (state->helo_name != 0)
1657 helo_reset(state);
1658 chat_reset(state, var_smtpd_hist_thrsh);
1659 mail_reset(state);
1660 rcpt_reset(state);
1661 state->helo_name = mystrdup(printable(argv[1].strval, '?'));
1662 neuter(state->helo_name, NEUTER_CHARACTERS, '?');
1663 /* Downgrading the protocol name breaks the unauthorized pipelining test. */
1664 if (strcasecmp(state->protocol, MAIL_PROTO_ESMTP) != 0
1665 && strcasecmp(state->protocol, MAIL_PROTO_SMTP) != 0) {
1666 myfree(state->protocol);
1667 state->protocol = mystrdup(MAIL_PROTO_SMTP);
1668 }
1669 smtpd_chat_reply(state, "250 %s", var_myhostname);
1670 return (0);
1671}
1672
1673/* cant_announce_feature - explain and terminate this session */
1674
1675static NORETURN cant_announce_feature(SMTPD_STATE *state, const char *feature)
1676{
1677 msg_warn("don't know if EHLO feature %s should be announced to %s",
1678 feature, state->namaddr);
1679 vstream_longjmp(state->client, SMTP_ERR_DATA);
1680}
1681
1682/* cant_permit_command - explain and terminate this session */
1683
1684static NORETURN cant_permit_command(SMTPD_STATE *state, const char *command)
1685{
1686 msg_warn("don't know if command %s should be allowed from %s",
1687 command, state->namaddr);
1688 vstream_longjmp(state->client, SMTP_ERR_DATA);
1689}
1690
1691/* ehlo_cmd - process EHLO command */
1692
1693static int ehlo_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
1694{
1695 const char *err;
1696 int discard_mask;
1697 char **cpp;
1698
1699 /*
1700 * XXX 2821 new feature: Section 4.1.4 specifies that a server must clear
1701 * all buffers and reset the state exactly as if a RSET command had been
1702 * issued.
1703 *
1704 * RFC 2034: the text part of all 2xx, 4xx, and 5xx SMTP responses other
1705 * than the initial greeting and any response to HELO or EHLO are
1706 * prefaced with a status code as defined in RFC 3463.
1707 */
1708 if (argc < 2) {
1709 state->error_mask |= MAIL_ERROR_PROTOCOL;
1710 smtpd_chat_reply(state, "501 Syntax: EHLO hostname");
1711 return (-1);
1712 }
1713 if (argc > 2)
1714 collapse_args(argc - 1, argv + 1);
1715 if (SMTPD_STAND_ALONE(state) == 0
1716 && var_smtpd_delay_reject == 0
1717 && (err = smtpd_check_helo(state, argv[1].strval)) != 0) {
1718 smtpd_chat_reply(state, "%s", err);
1719 return (-1);
1720 }
1721
1722 /*
1723 * XXX Sendmail compatibility: if a Milter 5xx rejects CONNECT, EHLO, or
1724 * HELO, reply with ENHANCEDSTATUSCODES except in case of immediate
1725 * disconnect. The reply persists so it will apply to MAIL FROM and to
1726 * other commands such as AUTH, STARTTLS, and VRFY.
1727 */
1728 err = 0;
1729 if (smtpd_milters != 0
1730 && SMTPD_STAND_ALONE(state) == 0
1731 && (state->saved_flags & MILTER_SKIP_FLAGS) == 0
1732 && (err = milter_helo_event(smtpd_milters, argv[1].strval, 1)) != 0) {
1733 /* Log reject etc. with correct HELO information. */
1734 PUSH_STRING(saved_helo, state->helo_name, argv[1].strval);
1735 err = check_milter_reply(state, err);
1736 POP_STRING(saved_helo, state->helo_name);
1737 if (err != 0 && strncmp(err, "421", 3) == 0) {
1738 smtpd_chat_reply(state, "%s", err);
1739 return (-1);
1740 }
1741 }
1742 if (state->helo_name != 0)
1743 helo_reset(state);
1744 chat_reset(state, var_smtpd_hist_thrsh);
1745 mail_reset(state);
1746 rcpt_reset(state);
1747 state->helo_name = mystrdup(printable(argv[1].strval, '?'));
1748 neuter(state->helo_name, NEUTER_CHARACTERS, '?');
1749
1750 /*
1751 * XXX reject_unauth_pipelining depends on the following. If the user
1752 * sends EHLO then we announce PIPELINING and we can't accuse them of
1753 * using pipelining in places where it is allowed.
1754 *
1755 * XXX The reject_unauth_pipelining test needs to change and also account
1756 * for mechanisms that disable PIPELINING selectively.
1757 */
1758 if (strcasecmp(state->protocol, MAIL_PROTO_ESMTP) != 0) {
1759 myfree(state->protocol);
1760 state->protocol = mystrdup(MAIL_PROTO_ESMTP);
1761 }
1762
1763 /*
1764 * Build the EHLO response, producing no output until we know what to
1765 * send - this simplifies exception handling. The CRLF record boundaries
1766 * don't exist at this level in the code, so we represent multi-line
1767 * output as an array of single-line responses.
1768 */
1769#define EHLO_APPEND(state, cmd) \
1770 do { \
1771 vstring_sprintf((state)->ehlo_buf, (cmd)); \
1772 argv_add((state)->ehlo_argv, STR((state)->ehlo_buf), (char *) 0); \
1773 } while (0)
1774
1775#define EHLO_APPEND1(state, cmd, arg) \
1776 do { \
1777 vstring_sprintf((state)->ehlo_buf, (cmd), (arg)); \
1778 argv_add((state)->ehlo_argv, STR((state)->ehlo_buf), (char *) 0); \
1779 } while (0)
1780
1781 /*
1782 * XXX Sendmail compatibility: if a Milter 5XX rejects CONNECT, EHLO, or
1783 * HELO, reply with ENHANCEDSTATUSCODES only. The reply persists so it
1784 * will apply to MAIL FROM, but we currently don't have a proper
1785 * mechanism to apply Milter rejects to AUTH, STARTTLS, VRFY, and other
1786 * commands while still allowing HELO/EHLO.
1787 */
1788 discard_mask = state->ehlo_discard_mask;
1789 if (err != 0 && err[0] == '5')
1790 discard_mask |= ~EHLO_MASK_ENHANCEDSTATUSCODES;
1791 if ((discard_mask & EHLO_MASK_ENHANCEDSTATUSCODES) == 0)
1792 if (discard_mask && !(discard_mask & EHLO_MASK_SILENT))
1793 msg_info("discarding EHLO keywords: %s", str_ehlo_mask(discard_mask));
1794 if (ehlo_discard_maps && ehlo_discard_maps->error) {
1795 msg_warn("don't know what EHLO features to announce to %s",
1796 state->namaddr);
1797 vstream_longjmp(state->client, SMTP_ERR_DATA);
1798 }
1799
1800 /*
1801 * These may still exist after a prior exception.
1802 */
1803 if (state->ehlo_argv == 0) {
1804 state->ehlo_argv = argv_alloc(10);
1805 state->ehlo_buf = vstring_alloc(10);
1806 } else
1807 argv_truncate(state->ehlo_argv, 0);
1808
1809 EHLO_APPEND1(state, "%s", var_myhostname);
1810 if ((discard_mask & EHLO_MASK_PIPELINING) == 0)
1811 EHLO_APPEND(state, "PIPELINING");
1812 if ((discard_mask & EHLO_MASK_SIZE) == 0) {
1813 if (var_message_limit)
1814 EHLO_APPEND1(state, "SIZE %lu",
1815 (unsigned long) var_message_limit); /* XXX */
1816 else
1817 EHLO_APPEND(state, "SIZE");
1818 }
1819 if ((discard_mask & EHLO_MASK_VRFY) == 0)
1820 if (var_disable_vrfy_cmd == 0)
1821 EHLO_APPEND(state, SMTPD_CMD_VRFY);
1822 if ((discard_mask & EHLO_MASK_ETRN) == 0)
1823 EHLO_APPEND(state, SMTPD_CMD_ETRN);
1824#ifdef USE_TLS
1825 if ((discard_mask & EHLO_MASK_STARTTLS) == 0)
1826 if (var_smtpd_use_tls && (!state->tls_context))
1827 EHLO_APPEND(state, SMTPD_CMD_STARTTLS);
1828#endif
1829#ifdef USE_SASL_AUTH
1830#ifndef AUTH_CMD
1831#define AUTH_CMD "AUTH"
1832#endif
1833 if ((discard_mask & EHLO_MASK_AUTH) == 0) {
1834 if (smtpd_sasl_is_active(state) && !sasl_client_exception(state)) {
1835 EHLO_APPEND1(state, "AUTH %s", state->sasl_mechanism_list);
1836 if (var_broken_auth_clients)
1837 EHLO_APPEND1(state, "AUTH=%s", state->sasl_mechanism_list);
1838 } else if (sasl_exceptions_networks && sasl_exceptions_networks->error)
1839 cant_announce_feature(state, AUTH_CMD);
1840 }
1841#define XCLIENT_LOGIN_KLUDGE " " XCLIENT_LOGIN
1842#else
1843#define XCLIENT_LOGIN_KLUDGE ""
1844#endif
1845 if ((discard_mask & EHLO_MASK_VERP) == 0) {
1846 if (namadr_list_match(verp_clients, state->name, state->addr))
1847 EHLO_APPEND(state, VERP_CMD);
1848 else if (verp_clients && verp_clients->error)
1849 cant_announce_feature(state, VERP_CMD);
1850 }
1851 /* XCLIENT must not override its own access control. */
1852 if ((discard_mask & EHLO_MASK_XCLIENT) == 0) {
1853 if (xclient_allowed)
1854 EHLO_APPEND(state, XCLIENT_CMD
1855 " " XCLIENT_NAME " " XCLIENT_ADDR
1856 " " XCLIENT_PROTO " " XCLIENT_HELO
1857 " " XCLIENT_REVERSE_NAME " " XCLIENT_PORT
1858 XCLIENT_LOGIN_KLUDGE);
1859 else if (xclient_hosts && xclient_hosts->error)
1860 cant_announce_feature(state, XCLIENT_CMD);
1861 }
1862 if ((discard_mask & EHLO_MASK_XFORWARD) == 0) {
1863 if (xforward_allowed)
1864 EHLO_APPEND(state, XFORWARD_CMD
1865 " " XFORWARD_NAME " " XFORWARD_ADDR
1866 " " XFORWARD_PROTO " " XFORWARD_HELO
1867 " " XFORWARD_DOMAIN " " XFORWARD_PORT
1868 " " XFORWARD_IDENT);
1869 else if (xforward_hosts && xforward_hosts->error)
1870 cant_announce_feature(state, XFORWARD_CMD);
1871 }
1872 if ((discard_mask & EHLO_MASK_ENHANCEDSTATUSCODES) == 0)
1873 EHLO_APPEND(state, "ENHANCEDSTATUSCODES");
1874 if ((discard_mask & EHLO_MASK_8BITMIME) == 0)
1875 EHLO_APPEND(state, "8BITMIME");
1876 if ((discard_mask & EHLO_MASK_DSN) == 0)
1877 EHLO_APPEND(state, "DSN");
1878 if (var_smtputf8_enable && (discard_mask & EHLO_MASK_SMTPUTF8) == 0)
1879 EHLO_APPEND(state, "SMTPUTF8");
1880
1881 /*
1882 * Send the reply.
1883 */
1884 for (cpp = state->ehlo_argv->argv; *cpp; cpp++)
1885 smtpd_chat_reply(state, "250%c%s", cpp[1] ? '-' : ' ', *cpp);
1886
1887 /*
1888 * Clean up.
1889 */
1890 argv_free(state->ehlo_argv);
1891 state->ehlo_argv = 0;
1892 vstring_free(state->ehlo_buf);
1893 state->ehlo_buf = 0;
1894
1895 return (0);
1896}
1897
1898/* helo_reset - reset HELO/EHLO command stuff */
1899
1900static void helo_reset(SMTPD_STATE *state)
1901{
1902 if (state->helo_name) {
1903 myfree(state->helo_name);
1904 state->helo_name = 0;
1905 if (SMTPD_STAND_ALONE(state) == 0 && smtpd_milters != 0)
1906 milter_abort(smtpd_milters);
1907 }
1908 if (state->ehlo_argv) {
1909 argv_free(state->ehlo_argv);
1910 state->ehlo_argv = 0;
1911 }
1912 if (state->ehlo_buf) {
1913 vstring_free(state->ehlo_buf);
1914 state->ehlo_buf = 0;
1915 }
1916}
1917
1918#ifdef USE_SASL_AUTH
1919
1920/* smtpd_sasl_auth_cmd_wrapper - smtpd_sasl_auth_cmd front-end */
1921
1922static int smtpd_sasl_auth_cmd_wrapper(SMTPD_STATE *state, int argc,
1923 SMTPD_TOKEN *argv)
1924{
1925 int rate;
1926
1927 if (SMTPD_STAND_ALONE(state) == 0
1928 && !xclient_allowed
1929 && anvil_clnt
1930 && var_smtpd_cauth_limit > 0
1931 && !namadr_list_match(hogger_list, state->name, state->addr)
1932 && anvil_clnt_auth(anvil_clnt, state->service, state->addr,
1933 &rate) == ANVIL_STAT_OK
1934 && rate > var_smtpd_cauth_limit) {
1935 state->error_mask |= MAIL_ERROR_POLICY;
1936 msg_warn("AUTH command rate limit exceeded: %d from %s for service %s",
1937 rate, state->namaddr, state->service);
1938 smtpd_chat_reply(state,
1939 "450 4.7.1 Error: too many AUTH commands from %s",
1940 state->addr);
1941 return (-1);
1942 }
1943 return (smtpd_sasl_auth_cmd(state, argc, argv));
1944}
1945
1946#endif
1947
1948/* mail_open_stream - open mail queue file or IPC stream */
1949
1950static int mail_open_stream(SMTPD_STATE *state)
1951{
1952
1953 /*
1954 * Connect to the before-queue filter when one is configured. The MAIL
1955 * FROM and RCPT TO commands are forwarded as received (including DSN
1956 * attributes), with the exception that the before-filter smtpd process
1957 * handles all authentication, encryption, access control and relay
1958 * control, and that the before-filter smtpd process does not forward
1959 * blocked commands. If the after-filter smtp server does not support
1960 * some of Postfix's ESMTP features, then they must be turned off in the
1961 * before-filter smtpd process with the smtpd_discard_ehlo_keywords
1962 * feature.
1963 */
1964 if (state->proxy_mail) {
1965 if (smtpd_proxy_create(state, smtpd_proxy_opts, var_smtpd_proxy_filt,
1966 var_smtpd_proxy_tmout, var_smtpd_proxy_ehlo,
1967 state->proxy_mail) != 0) {
1968 smtpd_chat_reply(state, "%s", STR(state->proxy->reply));
1969 smtpd_proxy_free(state);
1970 return (-1);
1971 }
1972 }
1973
1974 /*
1975 * If running from the master or from inetd, connect to the cleanup
1976 * service.
1977 *
1978 * XXX 2821: An SMTP server is not allowed to "clean up" mail except in the
1979 * case of original submissions.
1980 *
1981 * We implement this by distinguishing between mail that we are willing to
1982 * rewrite (the local rewrite context) and mail from elsewhere.
1983 */
1984 else if (SMTPD_STAND_ALONE(state) == 0) {
1985 int cleanup_flags;
1986
1987 cleanup_flags = input_transp_cleanup(CLEANUP_FLAG_MASK_EXTERNAL,
1988 smtpd_input_transp_mask)
1989 | CLEANUP_FLAG_SMTP_REPLY;
1990 if (state->flags & SMTPD_FLAG_SMTPUTF8)
1991 cleanup_flags |= CLEANUP_FLAG_SMTPUTF8;
1992 else
1993 cleanup_flags |= smtputf8_autodetect(MAIL_SRC_MASK_SMTPD);
1994 state->dest = mail_stream_service(MAIL_CLASS_PUBLIC,
1995 var_cleanup_service);
1996 if (state->dest == 0
1997 || attr_print(state->dest->stream, ATTR_FLAG_NONE,
1998 SEND_ATTR_INT(MAIL_ATTR_FLAGS, cleanup_flags),
1999 ATTR_TYPE_END) != 0)
2000 msg_fatal("unable to connect to the %s %s service",
2001 MAIL_CLASS_PUBLIC, var_cleanup_service);
2002 }
2003
2004 /*
2005 * Otherwise, pipe the message through the privileged postdrop helper.
2006 * XXX Make postdrop a manifest constant.
2007 */
2008 else {
2009 char *postdrop_command;
2010
2011 postdrop_command = concatenate(var_command_dir, "/postdrop",
2012 msg_verbose ? " -v" : (char *) 0, (char *) 0);
2013 state->dest = mail_stream_command(postdrop_command);
2014 if (state->dest == 0)
2015 msg_fatal("unable to execute %s", postdrop_command);
2016 myfree(postdrop_command);
2017 }
2018
2019 /*
2020 * Record the time of arrival, the SASL-related stuff if applicable, the
2021 * sender envelope address, some session information, and some additional
2022 * attributes.
2023 *
2024 * XXX Send Milter information first, because this will hang when cleanup
2025 * goes into "throw away" mode. Also, cleanup needs to know early on
2026 * whether or not it has to do its own SMTP event emulation.
2027 *
2028 * XXX At this point we send only dummy information to keep the cleanup
2029 * server from using its non_smtpd_milters settings. We have to send
2030 * up-to-date Milter information after DATA so that the cleanup server
2031 * knows the actual Milter state.
2032 */
2033 if (state->dest) {
2034 state->cleanup = state->dest->stream;
2035 state->queue_id = mystrdup(state->dest->id);
2036 if (SMTPD_STAND_ALONE(state) == 0) {
2037 if (smtpd_milters != 0
2038 && (state->saved_flags & MILTER_SKIP_FLAGS) == 0)
2039 /* Send place-holder smtpd_milters list. */
2040 (void) milter_dummy(smtpd_milters, state->cleanup);
2041 rec_fprintf(state->cleanup, REC_TYPE_TIME, REC_TYPE_TIME_FORMAT,
2042 REC_TYPE_TIME_ARG(state->arrival_time));
2043 if (*var_filter_xport)
2044 rec_fprintf(state->cleanup, REC_TYPE_FILT, "%s", var_filter_xport);
2045 if (FORWARD_IDENT(state))
2046 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2047 MAIL_ATTR_LOG_IDENT, FORWARD_IDENT(state));
2048 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2049 MAIL_ATTR_RWR_CONTEXT, FORWARD_DOMAIN(state));
2050#ifdef USE_SASL_AUTH
2051 /* Make external authentication painless (e.g., XCLIENT). */
2052 if (state->sasl_method)
2053 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2054 MAIL_ATTR_SASL_METHOD, state->sasl_method);
2055 if (state->sasl_username)
2056 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2057 MAIL_ATTR_SASL_USERNAME, state->sasl_username);
2058 if (state->sasl_sender)
2059 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2060 MAIL_ATTR_SASL_SENDER, state->sasl_sender);
2061#endif
2062
2063 /*
2064 * Record DSN related information that was received with the MAIL
2065 * FROM command.
2066 *
2067 * RFC 3461 Section 5.2.1. If no ENVID parameter was included in the
2068 * MAIL command when the message was received, the ENVID
2069 * parameter MUST NOT be supplied when the message is relayed.
2070 * Ditto for the RET parameter.
2071 *
2072 * In other words, we can't simply make up our default ENVID or RET
2073 * values. We have to remember whether the client sent any.
2074 *
2075 * We store DSN information as named attribute records so that we
2076 * don't have to pollute the queue file with records that are
2077 * incompatible with past Postfix versions. Preferably, people
2078 * should be able to back out from an upgrade without losing
2079 * mail.
2080 */
2081 if (state->dsn_envid)
2082 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2083 MAIL_ATTR_DSN_ENVID, state->dsn_envid);
2084 if (state->dsn_ret)
2085 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%d",
2086 MAIL_ATTR_DSN_RET, state->dsn_ret);
2087 }
2088 rec_fputs(state->cleanup, REC_TYPE_FROM, state->sender);
2089 if (state->encoding != 0)
2090 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2091 MAIL_ATTR_ENCODING, state->encoding);
2092
2093 /*
2094 * Store client attributes.
2095 */
2096 if (SMTPD_STAND_ALONE(state) == 0) {
2097
2098 /*
2099 * Attributes for logging, also used for XFORWARD.
2100 *
2101 * We store all client attributes, including ones with unknown
2102 * values. Otherwise, an unknown client hostname would be treated
2103 * as a non-existent hostname (i.e. local submission).
2104 */
2105 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2106 MAIL_ATTR_LOG_CLIENT_NAME, FORWARD_NAME(state));
2107 /* XXX Note: state->rfc_addr, not state->addr. */
2108 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2109 MAIL_ATTR_LOG_CLIENT_ADDR, FORWARD_ADDR(state));
2110 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2111 MAIL_ATTR_LOG_CLIENT_PORT, FORWARD_PORT(state));
2112 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2113 MAIL_ATTR_LOG_ORIGIN, FORWARD_NAMADDR(state));
2114 if (FORWARD_HELO(state))
2115 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2116 MAIL_ATTR_LOG_HELO_NAME, FORWARD_HELO(state));
2117 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2118 MAIL_ATTR_LOG_PROTO_NAME, FORWARD_PROTO(state));
2119
2120 /*
2121 * Attributes with actual client information. These are used by
2122 * the smtpd Milter client for policy decisions. Mail that is
2123 * requeued with "postsuper -r" is not subject to processing by
2124 * the cleanup Milter client, because a) it has already been
2125 * filtered, and b) we don't have sufficient information to
2126 * reproduce the exact same SMTP events and Sendmail macros that
2127 * the smtpd Milter client received when the message originally
2128 * arrived in Postfix.
2129 */
2130 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2131 MAIL_ATTR_ACT_CLIENT_NAME, state->name);
2132 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2133 MAIL_ATTR_ACT_REVERSE_CLIENT_NAME, state->reverse_name);
2134 /* XXX Note: state->addr, not state->rfc_addr. */
2135 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2136 MAIL_ATTR_ACT_CLIENT_ADDR, state->addr);
2137 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2138 MAIL_ATTR_ACT_CLIENT_PORT, state->port);
2139 if (state->helo_name)
2140 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2141 MAIL_ATTR_ACT_HELO_NAME, state->helo_name);
2142 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2143 MAIL_ATTR_ACT_PROTO_NAME, state->protocol);
2144 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%u",
2145 MAIL_ATTR_ACT_CLIENT_AF, state->addr_family);
2146
2147 /*
2148 * Don't send client certificate down the pipeline unless it is
2149 * a) verified or b) just a fingerprint.
2150 */
2151 }
2152 if (state->verp_delims)
2153 rec_fputs(state->cleanup, REC_TYPE_VERP, state->verp_delims);
2154 }
2155
2156 /*
2157 * Log the queue ID with the message origin.
2158 */
2159#define PRINT_OR_NULL(cond, str) \
2160 ((cond) ? (str) : "")
2161#define PRINT2_OR_NULL(cond, name, value) \
2162 PRINT_OR_NULL((cond), (name)), PRINT_OR_NULL((cond), (value))
2163
2164 msg_info("%s: client=%s%s%s%s%s%s%s%s%s%s%s",
2165 (state->queue_id ? state->queue_id : "NOQUEUE"),
2166 state->namaddr,
2167#ifdef USE_SASL_AUTH
2168 PRINT2_OR_NULL(state->sasl_method,
2169 ", sasl_method=", state->sasl_method),
2170 PRINT2_OR_NULL(state->sasl_username,
2171 ", sasl_username=", state->sasl_username),
2172 PRINT2_OR_NULL(state->sasl_sender,
2173 ", sasl_sender=", state->sasl_sender),
2174#else
2175 "", "", "", "", "", "",
2176#endif
2177 /* Insert transaction TLS status here. */
2178 PRINT2_OR_NULL(HAVE_FORWARDED_IDENT(state),
2179 ", orig_queue_id=", FORWARD_IDENT(state)),
2180 PRINT2_OR_NULL(HAVE_FORWARDED_CLIENT_ATTR(state),
2181 ", orig_client=", FORWARD_NAMADDR(state)));
2182 return (0);
2183}
2184
2185/* extract_addr - extract address from rubble */
2186
2187static int extract_addr(SMTPD_STATE *state, SMTPD_TOKEN *arg,
2188 int allow_empty_addr, int strict_rfc821,
2189 int smtputf8)
2190{
2191 const char *myname = "extract_addr";
2192 TOK822 *tree;
2193 TOK822 *tp;
2194 TOK822 *addr = 0;
2195 int naddr;
2196 int non_addr;
2197 int err = 0;
2198 char *junk = 0;
2199 char *text;
2200 char *colon;
2201
2202 /*
2203 * Special case.
2204 */
2205#define PERMIT_EMPTY_ADDR 1
2206#define REJECT_EMPTY_ADDR 0
2207
2208 /*
2209 * Some mailers send RFC822-style address forms (with comments and such)
2210 * in SMTP envelopes. We cannot blame users for this: the blame is with
2211 * programmers violating the RFC, and with sendmail for being permissive.
2212 *
2213 * XXX The SMTP command tokenizer must leave the address in externalized
2214 * (quoted) form, so that the address parser can correctly extract the
2215 * address from surrounding junk.
2216 *
2217 * XXX We have only one address parser, written according to the rules of
2218 * RFC 822. That standard differs subtly from RFC 821.
2219 */
2220 if (msg_verbose)
2221 msg_info("%s: input: %s", myname, STR(arg->vstrval));
2222 if (STR(arg->vstrval)[0] == '<'
2223 && STR(arg->vstrval)[LEN(arg->vstrval) - 1] == '>') {
2224 junk = text = mystrndup(STR(arg->vstrval) + 1, LEN(arg->vstrval) - 2);
2225 } else
2226 text = STR(arg->vstrval);
2227
2228 /*
2229 * Truncate deprecated route address form.
2230 */
2231 if (*text == '@' && (colon = strchr(text, ':')) != 0)
2232 text = colon + 1;
2233 tree = tok822_parse(text);
2234
2235 if (junk)
2236 myfree(junk);
2237
2238 /*
2239 * Find trouble.
2240 */
2241 for (naddr = non_addr = 0, tp = tree; tp != 0; tp = tp->next) {
2242 if (tp->type == TOK822_ADDR) {
2243 addr = tp;
2244 naddr += 1; /* count address forms */
2245 } else if (tp->type == '<' || tp->type == '>') {
2246 /* void */ ; /* ignore brackets */
2247 } else {
2248 non_addr += 1; /* count non-address forms */
2249 }
2250 }
2251
2252 /*
2253 * Report trouble. XXX Should log a warning only if we are going to
2254 * sleep+reject so that attackers can't flood our logfiles.
2255 *
2256 * XXX Unfortunately, the sleep-before-reject feature had to be abandoned
2257 * (at least for small error counts) because servers were DOS-ing
2258 * themselves when flooded by backscatter traffic.
2259 */
2260 if (naddr > 1
2261 || (strict_rfc821 && (non_addr || *STR(arg->vstrval) != '<'))) {
2262 msg_warn("Illegal address syntax from %s in %s command: %s",
2263 state->namaddr, state->where,
2264 printable(STR(arg->vstrval), '?'));
2265 err = 1;
2266 }
2267
2268 /*
2269 * Don't overwrite the input with the extracted address. We need the
2270 * original (external) form in case the client does not send ORCPT
2271 * information; and error messages are more accurate if we log the
2272 * unmodified form. We need the internal form for all other purposes.
2273 */
2274 if (addr)
2275 tok822_internalize(state->addr_buf, addr->head, TOK822_STR_DEFL);
2276 else
2277 vstring_strcpy(state->addr_buf, "");
2278
2279 /*
2280 * Report trouble. XXX Should log a warning only if we are going to
2281 * sleep+reject so that attackers can't flood our logfiles. Log the
2282 * original address.
2283 */
2284 if (err == 0)
2285 if ((STR(state->addr_buf)[0] == 0 && !allow_empty_addr)
2286 || (strict_rfc821 && STR(state->addr_buf)[0] == '@')
2287 || (SMTPD_STAND_ALONE(state) == 0
2288 && smtpd_check_addr(strcmp(state->where, SMTPD_CMD_MAIL) == 0 ?
2289 state->recipient : state->sender,
2290 STR(state->addr_buf), smtputf8) != 0)) {
2291 msg_warn("Illegal address syntax from %s in %s command: %s",
2292 state->namaddr, state->where,
2293 printable(STR(arg->vstrval), '?'));
2294 err = 1;
2295 }
2296
2297 /*
2298 * Cleanup.
2299 */
2300 tok822_free_tree(tree);
2301 if (msg_verbose)
2302 msg_info("%s: in: %s, result: %s",
2303 myname, STR(arg->vstrval), STR(state->addr_buf));
2304 return (err);
2305}
2306
2307/* milter_argv - impedance adapter */
2308
2309static const char **milter_argv(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
2310{
2311 int n;
2312 ssize_t len = argc + 1;
2313
2314 if (state->milter_argc < len) {
2315 if (state->milter_argc > 0)
2316 state->milter_argv = (const char **)
2317 myrealloc((void *) state->milter_argv,
2318 sizeof(const char *) * len);
2319 else
2320 state->milter_argv = (const char **)
2321 mymalloc(sizeof(const char *) * len);
2322 state->milter_argc = len;
2323 }
2324 for (n = 0; n < argc; n++)
2325 state->milter_argv[n] = argv[n].strval;
2326 state->milter_argv[n] = 0;
2327 return (state->milter_argv);
2328}
2329
2330/* mail_cmd - process MAIL command */
2331
2332static int mail_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
2333{
2334 const char *err;
2335 int narg;
2336 char *arg;
2337 char *verp_delims = 0;
2338 int rate;
2339 int dsn_envid = 0;
2340
2341 state->flags &= ~SMTPD_FLAG_SMTPUTF8;
2342 state->encoding = 0;
2343 state->dsn_ret = 0;
2344
2345 /*
2346 * Sanity checks.
2347 *
2348 * XXX 2821 pedantism: Section 4.1.2 says that SMTP servers that receive a
2349 * command in which invalid character codes have been employed, and for
2350 * which there are no other reasons for rejection, MUST reject that
2351 * command with a 501 response. Postfix attempts to be 8-bit clean.
2352 */
2353 if (var_helo_required && state->helo_name == 0) {
2354 state->error_mask |= MAIL_ERROR_POLICY;
2355 smtpd_chat_reply(state, "503 5.5.1 Error: send HELO/EHLO first");
2356 return (-1);
2357 }
2358 if (SMTPD_IN_MAIL_TRANSACTION(state)) {
2359 state->error_mask |= MAIL_ERROR_PROTOCOL;
2360 smtpd_chat_reply(state, "503 5.5.1 Error: nested MAIL command");
2361 return (-1);
2362 }
2363 if (argc < 3
2364 || strcasecmp(argv[1].strval, "from:") != 0) {
2365 state->error_mask |= MAIL_ERROR_PROTOCOL;
2366 smtpd_chat_reply(state, "501 5.5.4 Syntax: MAIL FROM:<address>");
2367 return (-1);
2368 }
2369
2370 /*
2371 * XXX The client event count/rate control must be consistent in its use
2372 * of client address information in connect and disconnect events. For
2373 * now we exclude xclient authorized hosts from event count/rate control.
2374 */
2375 if (SMTPD_STAND_ALONE(state) == 0
2376 && !xclient_allowed
2377 && anvil_clnt
2378 && var_smtpd_cmail_limit > 0
2379 && !namadr_list_match(hogger_list, state->name, state->addr)
2380 && anvil_clnt_mail(anvil_clnt, state->service, state->addr,
2381 &rate) == ANVIL_STAT_OK
2382 && rate > var_smtpd_cmail_limit) {
2383 state->error_mask |= MAIL_ERROR_POLICY;
2384 smtpd_chat_reply(state, "450 4.7.1 Error: too much mail from %s",
2385 state->addr);
2386 msg_warn("Message delivery request rate limit exceeded: %d from %s for service %s",
2387 rate, state->namaddr, state->service);
2388 return (-1);
2389 }
2390 if (argv[2].tokval == SMTPD_TOK_ERROR) {
2391 state->error_mask |= MAIL_ERROR_PROTOCOL;
2392 smtpd_chat_reply(state, "501 5.1.7 Bad sender address syntax");
2393 return (-1);
2394 }
2395
2396 /*
2397 * XXX The sender address comes first, but the optional SMTPUTF8
2398 * parameter determines what address syntax is permitted. We must process
2399 * this parameter early.
2400 */
2401 if (var_smtputf8_enable
2402 && (state->ehlo_discard_mask & EHLO_MASK_SMTPUTF8) == 0) {
2403 for (narg = 3; narg < argc; narg++) {
2404 arg = argv[narg].strval;
2405 if (strcasecmp(arg, "SMTPUTF8") == 0) { /* RFC 6531 */
2406 /* Fix 20161206: allow UTF8 in smtpd_sender_restrictions. */
2407 state->flags |= SMTPD_FLAG_SMTPUTF8;
2408 break;
2409 }
2410 }
2411 }
2412 if (extract_addr(state, argv + 2, PERMIT_EMPTY_ADDR,
2413 var_strict_rfc821_env,
2414 state->flags & SMTPD_FLAG_SMTPUTF8) != 0) {
2415 state->error_mask |= MAIL_ERROR_PROTOCOL;
2416 smtpd_chat_reply(state, "501 5.1.7 Bad sender address syntax");
2417 return (-1);
2418 }
2419 for (narg = 3; narg < argc; narg++) {
2420 arg = argv[narg].strval;
2421 if (strcasecmp(arg, "BODY=8BITMIME") == 0) { /* RFC 1652 */
2422 state->encoding = MAIL_ATTR_ENC_8BIT;
2423 } else if (strcasecmp(arg, "BODY=7BIT") == 0) { /* RFC 1652 */
2424 state->encoding = MAIL_ATTR_ENC_7BIT;
2425 } else if (strncasecmp(arg, "SIZE=", 5) == 0) { /* RFC 1870 */
2426 /* Reject non-numeric size. */
2427 if (!alldig(arg + 5)) {
2428 state->error_mask |= MAIL_ERROR_PROTOCOL;
2429 smtpd_chat_reply(state, "501 5.5.4 Bad message size syntax");
2430 return (-1);
2431 }
2432 /* Reject size overflow. */
2433 if ((state->msg_size = off_cvt_string(arg + 5)) < 0) {
2434 state->error_mask |= MAIL_ERROR_POLICY;
2435 smtpd_chat_reply(state, "552 5.3.4 Message size exceeds file system imposed limit");
2436 return (-1);
2437 }
2438 } else if (var_smtputf8_enable
2439 && (state->ehlo_discard_mask & EHLO_MASK_SMTPUTF8) == 0
2440 && strcasecmp(arg, "SMTPUTF8") == 0) { /* RFC 6531 */
2441 /* Already processed early. */ ;
2442#ifdef USE_SASL_AUTH
2443 } else if (strncasecmp(arg, "AUTH=", 5) == 0) {
2444 if ((err = smtpd_sasl_mail_opt(state, arg + 5)) != 0) {
2445 smtpd_chat_reply(state, "%s", err);
2446 return (-1);
2447 }
2448#endif
2449 } else if (namadr_list_match(verp_clients, state->name, state->addr)
2450 && strncasecmp(arg, VERP_CMD, VERP_CMD_LEN) == 0
2451 && (arg[VERP_CMD_LEN] == '=' || arg[VERP_CMD_LEN] == 0)) {
2452 if (arg[VERP_CMD_LEN] == 0) {
2453 verp_delims = var_verp_delims;
2454 } else {
2455 verp_delims = arg + VERP_CMD_LEN + 1;
2456 if (verp_delims_verify(verp_delims) != 0) {
2457 state->error_mask |= MAIL_ERROR_PROTOCOL;
2458 smtpd_chat_reply(state,
2459 "501 5.5.4 Error: %s needs two characters from %s",
2460 VERP_CMD, var_verp_filter);
2461 return (-1);
2462 }
2463 }
2464 } else if (strncasecmp(arg, "RET=", 4) == 0) { /* RFC 3461 */
2465 /* Sanitized on input. */
2466 if (state->ehlo_discard_mask & EHLO_MASK_DSN) {
2467 state->error_mask |= MAIL_ERROR_PROTOCOL;
2468 smtpd_chat_reply(state, "501 5.7.1 DSN support is disabled");
2469 return (-1);
2470 }
2471 if (state->dsn_ret
2472 || (state->dsn_ret = dsn_ret_code(arg + 4)) == 0) {
2473 state->error_mask |= MAIL_ERROR_PROTOCOL;
2474 smtpd_chat_reply(state,
2475 "501 5.5.4 Bad RET parameter syntax");
2476 return (-1);
2477 }
2478 } else if (strncasecmp(arg, "ENVID=", 6) == 0) { /* RFC 3461 */
2479 /* Sanitized by bounce server. */
2480 if (state->ehlo_discard_mask & EHLO_MASK_DSN) {
2481 state->error_mask |= MAIL_ERROR_PROTOCOL;
2482 smtpd_chat_reply(state, "501 5.7.1 DSN support is disabled");
2483 return (-1);
2484 }
2485 if (dsn_envid
2486 || xtext_unquote(state->dsn_buf, arg + 6) == 0
2487 || !allprint(STR(state->dsn_buf))) {
2488 state->error_mask |= MAIL_ERROR_PROTOCOL;
2489 smtpd_chat_reply(state, "501 5.5.4 Bad ENVID parameter syntax");
2490 return (-1);
2491 }
2492 dsn_envid = 1;
2493 } else {
2494 state->error_mask |= MAIL_ERROR_PROTOCOL;
2495 smtpd_chat_reply(state, "555 5.5.4 Unsupported option: %s", arg);
2496 return (-1);
2497 }
2498 }
2499 if ((err = smtpd_check_size(state, state->msg_size)) != 0) {
2500 smtpd_chat_reply(state, "%s", err);
2501 return (-1);
2502 }
2503 if (verp_delims && STR(state->addr_buf)[0] == 0) {
2504 smtpd_chat_reply(state, "503 5.5.4 Error: %s requires non-null sender",
2505 VERP_CMD);
2506 return (-1);
2507 }
2508 if (SMTPD_STAND_ALONE(state) == 0) {
2509 const char *verify_sender;
2510
2511 /*
2512 * XXX Don't reject the address when we're probed with our own
2513 * address verification sender address. Otherwise, some timeout or
2514 * some UCE block may result in mutual negative caching, making it
2515 * painful to get the mail through. Unfortunately we still have to
2516 * send the address to the Milters otherwise they may bail out with a
2517 * "missing recipient" protocol error.
2518 */
2519 verify_sender = valid_verify_sender_addr(STR(state->addr_buf));
2520 if (verify_sender != 0)
2521 vstring_strcpy(state->addr_buf, verify_sender);
2522 }
2523 if (SMTPD_STAND_ALONE(state) == 0
2524 && var_smtpd_delay_reject == 0
2525 && (err = smtpd_check_mail(state, STR(state->addr_buf))) != 0) {
2526 /* XXX Reset access map side effects. */
2527 mail_reset(state);
2528 smtpd_chat_reply(state, "%s", err);
2529 return (-1);
2530 }
2531 if (smtpd_milters != 0
2532 && SMTPD_STAND_ALONE(state) == 0
2533 && (state->saved_flags & MILTER_SKIP_FLAGS) == 0) {
2534 PUSH_STRING(saved_sender, state->sender, STR(state->addr_buf));
2535 err = milter_mail_event(smtpd_milters,
2536 milter_argv(state, argc - 2, argv + 2));
2537 if (err != 0) {
2538 /* Log reject etc. with correct sender information. */
2539 err = check_milter_reply(state, err);
2540 }
2541 POP_STRING(saved_sender, state->sender);
2542 if (err != 0) {
2543 /* XXX Reset access map side effects. */
2544 mail_reset(state);
2545 smtpd_chat_reply(state, "%s", err);
2546 return (-1);
2547 }
2548 }
2549 if (SMTPD_STAND_ALONE(state) == 0) {
2550 err = smtpd_check_rewrite(state);
2551 if (err != 0) {
2552 /* XXX Reset access map side effects. */
2553 mail_reset(state);
2554 smtpd_chat_reply(state, "%s", err);
2555 return (-1);
2556 }
2557 }
2558
2559 /*
2560 * Historically, Postfix does not forbid 8-bit envelope localparts.
2561 * Changing this would be a compatibility break. That can't happen in the
2562 * forseeable future.
2563 */
2564 if ((var_strict_smtputf8 || warn_compat_break_smtputf8_enable)
2565 && (state->flags & SMTPD_FLAG_SMTPUTF8) == 0
2566 && *STR(state->addr_buf) && !allascii(STR(state->addr_buf))) {
2567 if (var_strict_smtputf8) {
2568 smtpd_chat_reply(state, "553 5.6.7 Must declare SMTPUTF8 to "
2569 "send unicode address");
2570 return (-1);
2571 }
2572
2573 /*
2574 * Not: #ifndef NO_EAI. They must configure SMTPUTF8_ENABLE=no if a
2575 * warning message is logged, so that they don't suddenly start to
2576 * lose mail after Postfix is built with EAI support.
2577 */
2578 if (warn_compat_break_smtputf8_enable)
2579 msg_info("using backwards-compatible default setting "
2580 VAR_SMTPUTF8_ENABLE "=no to accept non-ASCII sender "
2581 "address \"%s\" from %s", STR(state->addr_buf),
2582 state->namaddr);
2583 }
2584
2585 /*
2586 * Check the queue file space, if applicable. The optional before-filter
2587 * speed-adjust buffers use disk space. However, we don't know if they
2588 * compete for storage space with the after-filter queue, so we can't
2589 * simply bump up the free space requirement to 2.5 * message_size_limit.
2590 */
2591 if (!USE_SMTPD_PROXY(state)
2592 || (smtpd_proxy_opts & SMTPD_PROXY_FLAG_SPEED_ADJUST)) {
2593 if (SMTPD_STAND_ALONE(state) == 0
2594 && (err = smtpd_check_queue(state)) != 0) {
2595 /* XXX Reset access map side effects. */
2596 mail_reset(state);
2597 smtpd_chat_reply(state, "%s", err);
2598 return (-1);
2599 }
2600 }
2601
2602 /*
2603 * No more early returns. The mail transaction is in progress.
2604 */
2605 GETTIMEOFDAY(&state->arrival_time);
2606 state->sender = mystrdup(STR(state->addr_buf));
2607 vstring_sprintf(state->instance, "%x.%lx.%lx.%x",
2608 var_pid, (unsigned long) state->arrival_time.tv_sec,
2609 (unsigned long) state->arrival_time.tv_usec, state->seqno++);
2610 if (verp_delims)
2611 state->verp_delims = mystrdup(verp_delims);
2612 if (dsn_envid)
2613 state->dsn_envid = mystrdup(STR(state->dsn_buf));
2614 if (USE_SMTPD_PROXY(state))
2615 state->proxy_mail = mystrdup(STR(state->buffer));
2616 if (var_smtpd_delay_open == 0 && mail_open_stream(state) < 0) {
2617 /* XXX Reset access map side effects. */
2618 mail_reset(state);
2619 return (-1);
2620 }
2621 smtpd_chat_reply(state, "250 2.1.0 Ok");
2622 return (0);
2623}
2624
2625/* mail_reset - reset MAIL command stuff */
2626
2627static void mail_reset(SMTPD_STATE *state)
2628{
2629 state->msg_size = 0;
2630 state->act_size = 0;
2631 state->flags &= SMTPD_MASK_MAIL_KEEP;
2632
2633 /*
2634 * Unceremoniously close the pipe to the cleanup service. The cleanup
2635 * service will delete the queue file when it detects a premature
2636 * end-of-file condition on input.
2637 */
2638 if (state->cleanup != 0) {
2639 mail_stream_cleanup(state->dest);
2640 state->dest = 0;
2641 state->cleanup = 0;
2642 }
2643 state->err = 0;
2644 if (state->queue_id != 0) {
2645 myfree(state->queue_id);
2646 state->queue_id = 0;
2647 }
2648 if (state->sender) {
2649 if (SMTPD_STAND_ALONE(state) == 0 && smtpd_milters != 0)
2650 milter_abort(smtpd_milters);
2651 myfree(state->sender);
2652 state->sender = 0;
2653 }
2654 if (state->verp_delims) {
2655 myfree(state->verp_delims);
2656 state->verp_delims = 0;
2657 }
2658 if (state->proxy_mail) {
2659 myfree(state->proxy_mail);
2660 state->proxy_mail = 0;
2661 }
2662 if (state->saved_filter) {
2663 myfree(state->saved_filter);
2664 state->saved_filter = 0;
2665 }
2666 if (state->saved_redirect) {
2667 myfree(state->saved_redirect);
2668 state->saved_redirect = 0;
2669 }
2670 if (state->saved_bcc) {
2671 myfree(state->saved_bcc);
2672 state->saved_bcc = 0;
2673 }
2674 state->saved_flags = 0;
2675#ifdef DELAY_ACTION
2676 state->saved_delay = 0;
2677#endif
2678#ifdef USE_SASL_AUTH
2679 if (state->sasl_sender)
2680 smtpd_sasl_mail_reset(state);
2681#endif
2682 state->discard = 0;
2683 VSTRING_RESET(state->instance);
2684 VSTRING_TERMINATE(state->instance);
2685
2686 if (state->proxy)
2687 smtpd_proxy_free(state);
2688 if (state->xforward.flags)
2689 smtpd_xforward_reset(state);
2690 if (state->prepend)
2691 state->prepend = argv_free(state->prepend);
2692 if (state->dsn_envid) {
2693 myfree(state->dsn_envid);
2694 state->dsn_envid = 0;
2695 }
2696 if (state->milter_argv) {
2697 myfree((void *) state->milter_argv);
2698 state->milter_argv = 0;
2699 state->milter_argc = 0;
2700 }
2701}
2702
2703/* rcpt_cmd - process RCPT TO command */
2704
2705static int rcpt_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
2706{
2707 SMTPD_PROXY *proxy;
2708 const char *err;
2709 int narg;
2710 char *arg;
2711 int rate;
2712 const char *dsn_orcpt_addr = 0;
2713 ssize_t dsn_orcpt_addr_len = 0;
2714 const char *dsn_orcpt_type = 0;
2715 int dsn_notify = 0;
2716 const char *coded_addr;
2717 const char *milter_err;
2718
2719 /*
2720 * Sanity checks.
2721 *
2722 * XXX 2821 pedantism: Section 4.1.2 says that SMTP servers that receive a
2723 * command in which invalid character codes have been employed, and for
2724 * which there are no other reasons for rejection, MUST reject that
2725 * command with a 501 response. So much for the principle of "be liberal
2726 * in what you accept, be strict in what you send".
2727 */
2728 if (!SMTPD_IN_MAIL_TRANSACTION(state)) {
2729 state->error_mask |= MAIL_ERROR_PROTOCOL;
2730 smtpd_chat_reply(state, "503 5.5.1 Error: need MAIL command");
2731 return (-1);
2732 }
2733 if (argc < 3
2734 || strcasecmp(argv[1].strval, "to:") != 0) {
2735 state->error_mask |= MAIL_ERROR_PROTOCOL;
2736 smtpd_chat_reply(state, "501 5.5.4 Syntax: RCPT TO:<address>");
2737 return (-1);
2738 }
2739
2740 /*
2741 * XXX The client event count/rate control must be consistent in its use
2742 * of client address information in connect and disconnect events. For
2743 * now we exclude xclient authorized hosts from event count/rate control.
2744 */
2745 if (SMTPD_STAND_ALONE(state) == 0
2746 && !xclient_allowed
2747 && anvil_clnt
2748 && var_smtpd_crcpt_limit > 0
2749 && !namadr_list_match(hogger_list, state->name, state->addr)
2750 && anvil_clnt_rcpt(anvil_clnt, state->service, state->addr,
2751 &rate) == ANVIL_STAT_OK
2752 && rate > var_smtpd_crcpt_limit) {
2753 state->error_mask |= MAIL_ERROR_POLICY;
2754 msg_warn("Recipient address rate limit exceeded: %d from %s for service %s",
2755 rate, state->namaddr, state->service);
2756 smtpd_chat_reply(state, "450 4.7.1 Error: too many recipients from %s",
2757 state->addr);
2758 return (-1);
2759 }
2760 if (argv[2].tokval == SMTPD_TOK_ERROR) {
2761 state->error_mask |= MAIL_ERROR_PROTOCOL;
2762 smtpd_chat_reply(state, "501 5.1.3 Bad recipient address syntax");
2763 return (-1);
2764 }
2765 if (extract_addr(state, argv + 2, REJECT_EMPTY_ADDR, var_strict_rfc821_env,
2766 state->flags & SMTPD_FLAG_SMTPUTF8) != 0) {
2767 state->error_mask |= MAIL_ERROR_PROTOCOL;
2768 smtpd_chat_reply(state, "501 5.1.3 Bad recipient address syntax");
2769 return (-1);
2770 }
2771 for (narg = 3; narg < argc; narg++) {
2772 arg = argv[narg].strval;
2773 if (strncasecmp(arg, "NOTIFY=", 7) == 0) { /* RFC 3461 */
2774 /* Sanitized on input. */
2775 if (state->ehlo_discard_mask & EHLO_MASK_DSN) {
2776 state->error_mask |= MAIL_ERROR_PROTOCOL;
2777 smtpd_chat_reply(state, "501 5.7.1 DSN support is disabled");
2778 return (-1);
2779 }
2780 if (dsn_notify || (dsn_notify = dsn_notify_mask(arg + 7)) == 0) {
2781 state->error_mask |= MAIL_ERROR_PROTOCOL;
2782 smtpd_chat_reply(state,
2783 "501 5.5.4 Error: Bad NOTIFY parameter syntax");
2784 return (-1);
2785 }
2786 } else if (strncasecmp(arg, "ORCPT=", 6) == 0) { /* RFC 3461 */
2787 /* Sanitized by bounce server. */
2788 if (state->ehlo_discard_mask & EHLO_MASK_DSN) {
2789 state->error_mask |= MAIL_ERROR_PROTOCOL;
2790 smtpd_chat_reply(state, "501 5.7.1 DSN support is disabled");
2791 return (-1);
2792 }
2793 vstring_strcpy(state->dsn_orcpt_buf, arg + 6);
2794 if (dsn_orcpt_addr
2795 || (coded_addr = split_at(STR(state->dsn_orcpt_buf), ';')) == 0
2796 || *(dsn_orcpt_type = STR(state->dsn_orcpt_buf)) == 0
2797 || (strcasecmp(dsn_orcpt_type, "utf-8") == 0 ?
2798 uxtext_unquote(state->dsn_buf, coded_addr) == 0 :
2799 xtext_unquote(state->dsn_buf, coded_addr) == 0)) {
2800 state->error_mask |= MAIL_ERROR_PROTOCOL;
2801 smtpd_chat_reply(state,
2802 "501 5.5.4 Error: Bad ORCPT parameter syntax");
2803 return (-1);
2804 }
2805 dsn_orcpt_addr = STR(state->dsn_buf);
2806 dsn_orcpt_addr_len = LEN(state->dsn_buf);
2807 } else {
2808 state->error_mask |= MAIL_ERROR_PROTOCOL;
2809 smtpd_chat_reply(state, "555 5.5.4 Unsupported option: %s", arg);
2810 return (-1);
2811 }
2812 }
2813 if (var_smtpd_rcpt_limit && state->rcpt_count >= var_smtpd_rcpt_limit) {
2814 smtpd_chat_reply(state, "452 4.5.3 Error: too many recipients");
2815 if (state->rcpt_overshoot++ < var_smtpd_rcpt_overlim)
2816 return (0);
2817 state->error_mask |= MAIL_ERROR_POLICY;
2818 return (-1);
2819 }
2820
2821 /*
2822 * Historically, Postfix does not forbid 8-bit envelope localparts.
2823 * Changing this would be a compatibility break. That can't happen in the
2824 * forseeable future.
2825 */
2826 if ((var_strict_smtputf8 || warn_compat_break_smtputf8_enable)
2827 && (state->flags & SMTPD_FLAG_SMTPUTF8) == 0
2828 && *STR(state->addr_buf) && !allascii(STR(state->addr_buf))) {
2829 if (var_strict_smtputf8) {
2830 smtpd_chat_reply(state, "553 5.6.7 Must declare SMTPUTF8 to "
2831 "send unicode address");
2832 return (-1);
2833 }
2834
2835 /*
2836 * Not: #ifndef NO_EAI. They must configure SMTPUTF8_ENABLE=no if a
2837 * warning message is logged, so that they don't suddenly start to
2838 * lose mail after Postfix is built with EAI support.
2839 */
2840 if (warn_compat_break_smtputf8_enable)
2841 msg_info("using backwards-compatible default setting "
2842 VAR_SMTPUTF8_ENABLE "=no to accept non-ASCII recipient "
2843 "address \"%s\" from %s", STR(state->addr_buf),
2844 state->namaddr);
2845 }
2846 if (SMTPD_STAND_ALONE(state) == 0) {
2847 const char *verify_sender;
2848
2849 /*
2850 * XXX Don't reject the address when we're probed with our own
2851 * address verification sender address. Otherwise, some timeout or
2852 * some UCE block may result in mutual negative caching, making it
2853 * painful to get the mail through. Unfortunately we still have to
2854 * send the address to the Milters otherwise they may bail out with a
2855 * "missing recipient" protocol error.
2856 */
2857 verify_sender = valid_verify_sender_addr(STR(state->addr_buf));
2858 if (verify_sender != 0) {
2859 vstring_strcpy(state->addr_buf, verify_sender);
2860 err = 0;
2861 } else {
2862 err = smtpd_check_rcpt(state, STR(state->addr_buf));
2863 }
2864 if (smtpd_milters != 0
2865 && (state->saved_flags & MILTER_SKIP_FLAGS) == 0) {
2866 PUSH_STRING(saved_rcpt, state->recipient, STR(state->addr_buf));
2867 state->milter_reject_text = err;
2868 milter_err = milter_rcpt_event(smtpd_milters,
2869 err == 0 ? MILTER_FLAG_NONE :
2870 MILTER_FLAG_WANT_RCPT_REJ,
2871 milter_argv(state, argc - 2, argv + 2));
2872 if (err == 0 && milter_err != 0) {
2873 /* Log reject etc. with correct recipient information. */
2874 err = check_milter_reply(state, milter_err);
2875 }
2876 POP_STRING(saved_rcpt, state->recipient);
2877 }
2878 if (err != 0) {
2879 smtpd_chat_reply(state, "%s", err);
2880 return (-1);
2881 }
2882 }
2883
2884 /*
2885 * Don't access the proxy, queue file, or queue file writer process until
2886 * we have a valid recipient address.
2887 */
2888 if (state->proxy == 0 && state->cleanup == 0 && mail_open_stream(state) < 0)
2889 return (-1);
2890
2891 /*
2892 * Proxy the recipient. OK, so we lied. If the real-time proxy rejects
2893 * the recipient then we can have a proxy connection without having
2894 * accepted a recipient.
2895 */
2896 proxy = state->proxy;
2897 if (proxy != 0 && proxy->cmd(state, SMTPD_PROX_WANT_OK,
2898 "%s", STR(state->buffer)) != 0) {
2899 smtpd_chat_reply(state, "%s", STR(proxy->reply));
2900 return (-1);
2901 }
2902
2903 /*
2904 * Store the recipient. Remember the first one.
2905 *
2906 * Flush recipients to maintain a stiffer coupling with the next stage and
2907 * to better utilize parallelism.
2908 *
2909 * RFC 3461 Section 5.2.1: If the NOTIFY parameter was not supplied for a
2910 * recipient when the message was received, the NOTIFY parameter MUST NOT
2911 * be supplied for that recipient when the message is relayed.
2912 *
2913 * In other words, we can't simply make up our default NOTIFY value. We have
2914 * to remember whether the client sent any.
2915 *
2916 * RFC 3461 Section 5.2.1: If no ORCPT parameter was present when the
2917 * message was received, an ORCPT parameter MAY be added to the RCPT
2918 * command when the message is relayed. If an ORCPT parameter is added
2919 * by the relaying MTA, it MUST contain the recipient address from the
2920 * RCPT command used when the message was received by that MTA.
2921 *
2922 * In other words, it is OK to make up our own DSN original recipient when
2923 * the client didn't send one. Although the RFC mentions mail relaying
2924 * only, we also make up our own original recipient for the purpose of
2925 * final delivery. For now, we do this here, rather than on the fly.
2926 *
2927 * XXX We use REC_TYPE_ATTR for DSN-related recipient attributes even though
2928 * 1) REC_TYPE_ATTR is not meant for multiple instances of the same named
2929 * attribute, and 2) mixing REC_TYPE_ATTR with REC_TYPE_(not attr)
2930 * requires that we map attributes with rec_attr_map() in order to
2931 * simplify the recipient record processing loops in the cleanup and qmgr
2932 * servers.
2933 *
2934 * Another possibility, yet to be explored, is to leave the additional
2935 * recipient information in the queue file and just pass queue file
2936 * offsets along with the delivery request. This is a trade off between
2937 * memory allocation versus numeric conversion overhead.
2938 *
2939 * Since we have no record grouping mechanism, all recipient-specific
2940 * parameters must be sent to the cleanup server before the actual
2941 * recipient address.
2942 */
2943 state->rcpt_count++;
2944 if (state->recipient == 0)
2945 state->recipient = mystrdup(STR(state->addr_buf));
2946 if (state->cleanup) {
2947 /* Note: RFC(2)821 externalized address! */
2948 if (dsn_orcpt_addr == 0) {
2949 dsn_orcpt_type = "rfc822";
2950 dsn_orcpt_addr = argv[2].strval;
2951 dsn_orcpt_addr_len = strlen(argv[2].strval);
2952 if (dsn_orcpt_addr[0] == '<'
2953 && dsn_orcpt_addr[dsn_orcpt_addr_len - 1] == '>') {
2954 dsn_orcpt_addr += 1;
2955 dsn_orcpt_addr_len -= 2;
2956 }
2957 }
2958 if (dsn_notify)
2959 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%d",
2960 MAIL_ATTR_DSN_NOTIFY, dsn_notify);
2961 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s;%.*s",
2962 MAIL_ATTR_DSN_ORCPT, dsn_orcpt_type,
2963 (int) dsn_orcpt_addr_len, dsn_orcpt_addr);
2964 rec_fputs(state->cleanup, REC_TYPE_RCPT, STR(state->addr_buf));
2965 vstream_fflush(state->cleanup);
2966 }
2967 smtpd_chat_reply(state, "250 2.1.5 Ok");
2968 return (0);
2969}
2970
2971/* rcpt_reset - reset RCPT stuff */
2972
2973static void rcpt_reset(SMTPD_STATE *state)
2974{
2975 if (state->recipient) {
2976 myfree(state->recipient);
2977 state->recipient = 0;
2978 }
2979 state->rcpt_count = 0;
2980 /* XXX Must flush the command history. */
2981 state->rcpt_overshoot = 0;
2982}
2983
2984#if 0
2985
2986/* rfc2047_comment_encode - encode comment string */
2987
2988static VSTRING *rfc2047_comment_encode(const char *str, const char *charset)
2989{
2990 VSTRING *buf = vstring_alloc(30);
2991 const unsigned char *cp;
2992 int ch;
2993
2994 /*
2995 * XXX This is problematic code.
2996 *
2997 * XXX Most of the RFC 2047 "especials" are not special in RFC*822 comments,
2998 * but we encode them anyway to avoid complaints.
2999 *
3000 * XXX In Received: header comments we enclose peer and issuer common names
3001 * with "" quotes (inherited from the Lutz Jaenicke patch). This is the
3002 * cause of several quirks.
3003 *
3004 * 1) We encode text that contains the " character, even though that
3005 * character is not special for RFC*822 comments.
3006 *
3007 * 2) We ignore the recommended limit of 75 characters per encoded word,
3008 * because long comments look ugly when folded in-between quotes.
3009 *
3010 * 3) We encode the enclosing quotes, to avoid producing invalid encoded
3011 * words. Microsoft abuses RFC 2047 encoding with attachment names, but
3012 * we have no information on what decoders do with malformed encoding in
3013 * comments. This means the comments are Jaenicke-compatible only after
3014 * decoding.
3015 */
3016#define ESPECIALS "()<>@,;:\"/[]?.=" /* Special in RFC 2047 */
3017#define QSPECIALS "_" ESPECIALS /* Special in RFC 2047 'Q' */
3018#define CSPECIALS "\\\"()" /* Special in our comments */
3019
3020 /* Don't encode if not needed. */
3021 for (cp = (unsigned char *) str; /* see below */ ; ++cp) {
3022 if ((ch = *cp) == 0) {
3023 vstring_sprintf(buf, "\"%s\"", str);
3024 return (buf);
3025 }
3026 if (!ISPRINT(ch) || strchr(CSPECIALS, ch))
3027 break;
3028 }
3029
3030 /*
3031 * Use quoted-printable (like) encoding with spaces mapped to underscore.
3032 */
3033 vstring_sprintf(buf, "=?%s?Q?=%02X", charset, '"');
3034 for (cp = (unsigned char *) str; (ch = *cp) != 0; ++cp) {
3035 if (!ISPRINT(ch) || strchr(QSPECIALS CSPECIALS, ch)) {
3036 vstring_sprintf_append(buf, "=%02X", ch);
3037 } else if (ch == ' ') {
3038 VSTRING_ADDCH(buf, '_');
3039 } else {
3040 VSTRING_ADDCH(buf, ch);
3041 }
3042 }
3043 vstring_sprintf_append(buf, "=%02X?=", '"');
3044 return (buf);
3045}
3046
3047#endif
3048
3049/* comment_sanitize - clean up comment string */
3050
3051static void comment_sanitize(VSTRING *comment_string)
3052{
3053 unsigned char *cp;
3054 int ch;
3055 int pc;
3056
3057 /*
3058 * Postfix Received: headers can be configured to include a comment with
3059 * the CN (CommonName) of the peer and its issuer, or the login name of a
3060 * SASL authenticated user. To avoid problems with RFC 822 etc. syntax,
3061 * we limit this information to printable ASCII text, and neutralize
3062 * characters that affect comment parsing: the backslash and unbalanced
3063 * parentheses.
3064 */
3065 for (pc = 0, cp = (unsigned char *) STR(comment_string); (ch = *cp) != 0; cp++) {
3066 if (!ISASCII(ch) || !ISPRINT(ch) || ch == '\\') {
3067 *cp = '?';
3068 } else if (ch == '(') {
3069 pc++;
3070 } else if (ch == ')') {
3071 if (pc > 0)
3072 pc--;
3073 else
3074 *cp = '?';
3075 }
3076 }
3077 while (pc-- > 0)
3078 VSTRING_ADDCH(comment_string, ')');
3079 VSTRING_TERMINATE(comment_string);
3080}
3081
3082/* data_cmd - process DATA command */
3083
3084static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
3085{
3086 SMTPD_PROXY *proxy;
3087 const char *err;
3088 char *start;
3089 int len;
3090 int curr_rec_type;
3091 int prev_rec_type;
3092 int first = 1;
3093 VSTRING *why = 0;
3094 int saved_err;
3095 int (*out_record) (VSTREAM *, int, const char *, ssize_t);
3096 int (*out_fprintf) (VSTREAM *, int, const char *,...);
3097 VSTREAM *out_stream;
3098 int out_error;
3099 char **cpp;
3100 const CLEANUP_STAT_DETAIL *detail;
3101 const char *rfc3848_sess;
3102 const char *rfc3848_auth;
3103 const char *with_protocol = (state->flags & SMTPD_FLAG_SMTPUTF8) ?
3104 "UTF8SMTP" : state->protocol;
3105
3106#ifdef USE_TLS
3107 VSTRING *peer_CN;
3108 VSTRING *issuer_CN;
3109
3110#endif
3111#ifdef USE_SASL_AUTH
3112 VSTRING *username;
3113
3114#endif
3115
3116 /*
3117 * Sanity checks. With ESMTP command pipelining the client can send DATA
3118 * before all recipients are rejected, so don't report that as a protocol
3119 * error.
3120 */
3121 if (state->rcpt_count == 0) {
3122 if (!SMTPD_IN_MAIL_TRANSACTION(state)) {
3123 state->error_mask |= MAIL_ERROR_PROTOCOL;
3124 smtpd_chat_reply(state, "503 5.5.1 Error: need RCPT command");
3125 } else {
3126 smtpd_chat_reply(state, "554 5.5.1 Error: no valid recipients");
3127 }
3128 return (-1);
3129 }
3130 if (argc != 1) {
3131 state->error_mask |= MAIL_ERROR_PROTOCOL;
3132 smtpd_chat_reply(state, "501 5.5.4 Syntax: DATA");
3133 return (-1);
3134 }
3135 if (SMTPD_STAND_ALONE(state) == 0 && (err = smtpd_check_data(state)) != 0) {
3136 smtpd_chat_reply(state, "%s", err);
3137 return (-1);
3138 }
3139 if (smtpd_milters != 0
3140 && SMTPD_STAND_ALONE(state) == 0
3141 && (state->saved_flags & MILTER_SKIP_FLAGS) == 0
3142 && (err = milter_data_event(smtpd_milters)) != 0
3143 && (err = check_milter_reply(state, err)) != 0) {
3144 smtpd_chat_reply(state, "%s", err);
3145 return (-1);
3146 }
3147 proxy = state->proxy;
3148 if (proxy != 0 && proxy->cmd(state, SMTPD_PROX_WANT_MORE,
3149 "%s", STR(state->buffer)) != 0) {
3150 smtpd_chat_reply(state, "%s", STR(proxy->reply));
3151 return (-1);
3152 }
3153
3154 /*
3155 * One level of indirection to choose between normal or proxied
3156 * operation. We want to avoid massive code duplication within tons of
3157 * if-else clauses.
3158 */
3159 if (proxy) {
3160 out_stream = proxy->stream;
3161 out_record = proxy->rec_put;
3162 out_fprintf = proxy->rec_fprintf;
3163 out_error = CLEANUP_STAT_PROXY;
3164 } else {
3165 out_stream = state->cleanup;
3166 out_record = rec_put;
3167 out_fprintf = rec_fprintf;
3168 out_error = CLEANUP_STAT_WRITE;
3169 }
3170
3171 /*
3172 * Flush out a first batch of access table actions that are delegated to
3173 * the cleanup server, and that may trigger before we accept the first
3174 * valid recipient. There will be more after end-of-data.
3175 *
3176 * Terminate the message envelope segment. Start the message content
3177 * segment, and prepend our own Received: header. If there is only one
3178 * recipient, list the recipient address.
3179 */
3180 if (state->cleanup) {
3181 if (SMTPD_STAND_ALONE(state) == 0) {
3182 if (smtpd_milters != 0
3183 && (state->saved_flags & MILTER_SKIP_FLAGS) == 0)
3184 /* Send actual smtpd_milters list. */
3185 (void) milter_send(smtpd_milters, state->cleanup);
3186 if (state->saved_flags)
3187 rec_fprintf(state->cleanup, REC_TYPE_FLGS, "%d",
3188 state->saved_flags);
3189 }
3190 rec_fputs(state->cleanup, REC_TYPE_MESG, "");
3191 }
3192
3193 /*
3194 * PREPEND message headers above our own Received: header.
3195 */
3196 if (state->prepend)
3197 for (cpp = state->prepend->argv; *cpp; cpp++)
3198 out_fprintf(out_stream, REC_TYPE_NORM, "%s", *cpp);
3199
3200 /*
3201 * Suppress our own Received: header in the unlikely case that we are an
3202 * intermediate proxy.
3203 */
3204 if (!proxy || state->xforward.flags == 0) {
3205 out_fprintf(out_stream, REC_TYPE_NORM,
3206 "Received: from %s (%s [%s])",
3207 state->helo_name ? state->helo_name : state->name,
3208 state->name, state->rfc_addr);
3209
3210#define VSTRING_STRDUP(s) vstring_strcpy(vstring_alloc(strlen(s) + 1), (s))
3211
3212#ifdef USE_TLS
3213 if (var_smtpd_tls_received_header && state->tls_context) {
3214 out_fprintf(out_stream, REC_TYPE_NORM,
3215 "\t(using %s with cipher %s (%d/%d bits))",
3216 state->tls_context->protocol,
3217 state->tls_context->cipher_name,
3218 state->tls_context->cipher_usebits,
3219 state->tls_context->cipher_algbits);
3220 if (TLS_CERT_IS_PRESENT(state->tls_context)) {
3221 peer_CN = VSTRING_STRDUP(state->tls_context->peer_CN);
3222 comment_sanitize(peer_CN);
3223 issuer_CN = VSTRING_STRDUP(state->tls_context->issuer_CN ?
3224 state->tls_context->issuer_CN : "");
3225 comment_sanitize(issuer_CN);
3226 out_fprintf(out_stream, REC_TYPE_NORM,
3227 "\t(Client CN \"%s\", Issuer \"%s\" (%s))",
3228 STR(peer_CN), STR(issuer_CN),
3229 TLS_CERT_IS_TRUSTED(state->tls_context) ?
3230 "verified OK" : "not verified");
3231 vstring_free(issuer_CN);
3232 vstring_free(peer_CN);
3233 } else if (var_smtpd_tls_ask_ccert)
3234 out_fprintf(out_stream, REC_TYPE_NORM,
3235 "\t(Client did not present a certificate)");
3236 else
3237 out_fprintf(out_stream, REC_TYPE_NORM,
3238 "\t(No client certificate requested)");
3239 }
3240 /* RFC 3848 is defined for ESMTP only. */
3241 if (state->tls_context != 0
3242 && strcmp(state->protocol, MAIL_PROTO_ESMTP) == 0)
3243 rfc3848_sess = "S";
3244 else
3245#endif
3246 rfc3848_sess = "";
3247#ifdef USE_SASL_AUTH
3248 if (var_smtpd_sasl_auth_hdr && state->sasl_username) {
3249 username = VSTRING_STRDUP(state->sasl_username);
3250 comment_sanitize(username);
3251 out_fprintf(out_stream, REC_TYPE_NORM,
3252 "\t(Authenticated sender: %s)", STR(username));
3253 vstring_free(username);
3254 }
3255 /* RFC 3848 is defined for ESMTP only. */
3256 if (state->sasl_username
3257 && strcmp(state->protocol, MAIL_PROTO_ESMTP) == 0)
3258 rfc3848_auth = "A";
3259 else
3260#endif
3261 rfc3848_auth = "";
3262 if (state->rcpt_count == 1 && state->recipient) {
3263 out_fprintf(out_stream, REC_TYPE_NORM,
3264 state->cleanup ? "\tby %s (%s) with %s%s%s id %s" :
3265 "\tby %s (%s) with %s%s%s",
3266 var_myhostname, var_mail_name,
3267 with_protocol, rfc3848_sess,
3268 rfc3848_auth, state->queue_id);
3269 quote_822_local(state->buffer, state->recipient);
3270 out_fprintf(out_stream, REC_TYPE_NORM,
3271 "\tfor <%s>; %s", STR(state->buffer),
3272 mail_date(state->arrival_time.tv_sec));
3273 } else {
3274 out_fprintf(out_stream, REC_TYPE_NORM,
3275 state->cleanup ? "\tby %s (%s) with %s%s%s id %s;" :
3276 "\tby %s (%s) with %s%s%s;",
3277 var_myhostname, var_mail_name,
3278 with_protocol, rfc3848_sess,
3279 rfc3848_auth, state->queue_id);
3280 out_fprintf(out_stream, REC_TYPE_NORM,
3281 "\t%s", mail_date(state->arrival_time.tv_sec));
3282 }
3283#ifdef RECEIVED_ENVELOPE_FROM
3284 quote_822_local(state->buffer, state->sender);
3285 out_fprintf(out_stream, REC_TYPE_NORM,
3286 "\t(envelope-from %s)", STR(state->buffer));
3287#endif
3288 }
3289 smtpd_chat_reply(state, "354 End data with <CR><LF>.<CR><LF>");
3290 state->where = SMTPD_AFTER_DATA;
3291
3292 /*
3293 * Copy the message content. If the cleanup process has a problem, keep
3294 * reading until the remote stops sending, then complain. Produce typed
3295 * records from the SMTP stream so we can handle data that spans buffers.
3296 *
3297 * XXX Force an empty record when the queue file content begins with
3298 * whitespace, so that it won't be considered as being part of our own
3299 * Received: header. What an ugly Kluge.
3300 *
3301 * XXX Deal with UNIX-style From_ lines at the start of message content
3302 * because sendmail permits it.
3303 */
3304 for (prev_rec_type = 0; /* void */ ; prev_rec_type = curr_rec_type) {
3305 if (smtp_get(state->buffer, state->client, var_line_limit,
3306 SMTP_GET_FLAG_NONE) == '\n')
3307 curr_rec_type = REC_TYPE_NORM;
3308 else
3309 curr_rec_type = REC_TYPE_CONT;
3310 start = vstring_str(state->buffer);
3311 len = VSTRING_LEN(state->buffer);
3312 if (first) {
3313 if (strncmp(start + strspn(start, ">"), "From ", 5) == 0) {
3314 out_fprintf(out_stream, curr_rec_type,
3315 "X-Mailbox-Line: %s", start);
3316 continue;
3317 }
3318 first = 0;
3319 if (len > 0 && IS_SPACE_TAB(start[0]))
3320 out_record(out_stream, REC_TYPE_NORM, "", 0);
3321 }
3322 if (prev_rec_type != REC_TYPE_CONT && *start == '.'
3323 && (proxy == 0 ? (++start, --len) == 0 : len == 1))
3324 break;
3325 if (state->err == CLEANUP_STAT_OK) {
3326 if (var_message_limit > 0 && var_message_limit - state->act_size < len + 2) {
3327 state->err = CLEANUP_STAT_SIZE;
3328 msg_warn("%s: queue file size limit exceeded",
3329 state->queue_id ? state->queue_id : "NOQUEUE");
3330 } else {
3331 state->act_size += len + 2;
3332 if (out_record(out_stream, curr_rec_type, start, len) < 0)
3333 state->err = out_error;
3334 }
3335 }
3336 }
3337 state->where = SMTPD_AFTER_DOT;
3338 if (state->err == CLEANUP_STAT_OK
3339 && SMTPD_STAND_ALONE(state) == 0
3340 && (err = smtpd_check_eod(state)) != 0) {
3341 smtpd_chat_reply(state, "%s", err);
3342 if (proxy) {
3343 smtpd_proxy_close(state);
3344 } else {
3345 mail_stream_cleanup(state->dest);
3346 state->dest = 0;
3347 state->cleanup = 0;
3348 }
3349 return (-1);
3350 }
3351
3352 /*
3353 * Send the end of DATA and finish the proxy connection. Set the
3354 * CLEANUP_STAT_PROXY error flag in case of trouble.
3355 */
3356 if (proxy) {
3357 if (state->err == CLEANUP_STAT_OK) {
3358 (void) proxy->cmd(state, SMTPD_PROX_WANT_ANY, ".");
3359 if (state->err == CLEANUP_STAT_OK &&
3360 *STR(proxy->reply) != '2')
3361 state->err = CLEANUP_STAT_CONT;
3362 }
3363 }
3364
3365 /*
3366 * Flush out access table actions that are delegated to the cleanup
3367 * server. There is similar code at the beginning of the DATA command.
3368 *
3369 * Send the end-of-segment markers and finish the queue file record stream.
3370 */
3371 else {
3372 if (state->err == CLEANUP_STAT_OK) {
3373 rec_fputs(state->cleanup, REC_TYPE_XTRA, "");
3374 if (state->saved_filter)
3375 rec_fprintf(state->cleanup, REC_TYPE_FILT, "%s",
3376 state->saved_filter);
3377 if (state->saved_redirect)
3378 rec_fprintf(state->cleanup, REC_TYPE_RDR, "%s",
3379 state->saved_redirect);
3380 if (state->saved_bcc) {
3381 rec_fprintf(state->cleanup, REC_TYPE_RCPT, "%s",
3382 state->saved_bcc);
3383 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%d",
3384 MAIL_ATTR_DSN_NOTIFY, DSN_NOTIFY_NEVER);
3385 }
3386 if (state->saved_flags)
3387 rec_fprintf(state->cleanup, REC_TYPE_FLGS, "%d",
3388 state->saved_flags);
3389#ifdef DELAY_ACTION
3390 if (state->saved_delay)
3391 rec_fprintf(state->cleanup, REC_TYPE_DELAY, "%d",
3392 state->saved_delay);
3393#endif
3394 if (vstream_ferror(state->cleanup))
3395 state->err = CLEANUP_STAT_WRITE;
3396 }
3397 if (state->err == CLEANUP_STAT_OK)
3398 if (rec_fputs(state->cleanup, REC_TYPE_END, "") < 0
3399 || vstream_fflush(state->cleanup))
3400 state->err = CLEANUP_STAT_WRITE;
3401 if (state->err == 0) {
3402 why = vstring_alloc(10);
3403 state->err = mail_stream_finish(state->dest, why);
3404 printable(STR(why), ' ');
3405 } else
3406 mail_stream_cleanup(state->dest);
3407 state->dest = 0;
3408 state->cleanup = 0;
3409 }
3410
3411 /*
3412 * XXX If we lose the cleanup server while it is editing a queue file,
3413 * the Postfix SMTP server will be out of sync with Milter applications.
3414 * Sending an ABORT to the Milters is not sufficient to restore
3415 * synchronization, because there may be any number of Milter replies
3416 * already in flight. Destroying and recreating the Milters (and faking
3417 * the connect and ehlo events) is too much trouble for testing and
3418 * maintenance. Workaround: force the Postfix SMTP server to hang up with
3419 * a 421 response in the rare case that the cleanup server breaks AND
3420 * that the remote SMTP client continues the session after end-of-data.
3421 *
3422 * XXX Should use something other than CLEANUP_STAT_WRITE when we lose
3423 * contact with the cleanup server. This requires changes to the
3424 * mail_stream module and its users (smtpd, qmqpd, perhaps sendmail).
3425 *
3426 * XXX See exception below in code that overrides state->access_denied for
3427 * compliance with RFC 2821 Sec 3.1.
3428 */
3429 if (smtpd_milters != 0 && (state->err & CLEANUP_STAT_WRITE) != 0)
3430 state->access_denied = mystrdup("421 4.3.0 Mail system error");
3431
3432 /*
3433 * Handle any errors. One message may suffer from multiple errors, so
3434 * complain only about the most severe error. Forgive any previous client
3435 * errors when a message was received successfully.
3436 *
3437 * See also: qmqpd.c
3438 */
3439#define IS_SMTP_REJECT(s) \
3440 (((s)[0] == '4' || (s)[0] == '5') \
3441 && ISDIGIT((s)[1]) && ISDIGIT((s)[2]) \
3442 && ((s)[3] == '\0' || (s)[3] == ' ' || (s)[3] == '-'))
3443
3444 if (state->err == CLEANUP_STAT_OK) {
3445 state->error_count = 0;
3446 state->error_mask = 0;
3447 state->junk_cmds = 0;
3448 if (proxy)
3449 smtpd_chat_reply(state, "%s", STR(proxy->reply));
3450 else
3451 smtpd_chat_reply(state,
3452 "250 2.0.0 Ok: queued as %s", state->queue_id);
3453 } else if (why && IS_SMTP_REJECT(STR(why))) {
3454 state->error_mask |= MAIL_ERROR_POLICY;
3455 smtpd_chat_reply(state, "%s", STR(why));
3456 } else if ((state->err & CLEANUP_STAT_DEFER) != 0) {
3457 state->error_mask |= MAIL_ERROR_POLICY;
3458 detail = cleanup_stat_detail(CLEANUP_STAT_DEFER);
3459 if (why && LEN(why) > 0) {
3460 /* Allow address-specific DSN status in header/body_checks. */
3461 smtpd_chat_reply(state, "%d %s", detail->smtp, STR(why));
3462 } else {
3463 smtpd_chat_reply(state, "%d %s Error: %s",
3464 detail->smtp, detail->dsn, detail->text);
3465 }
3466 } else if ((state->err & CLEANUP_STAT_BAD) != 0) {
3467 state->error_mask |= MAIL_ERROR_SOFTWARE;
3468 detail = cleanup_stat_detail(CLEANUP_STAT_BAD);
3469 smtpd_chat_reply(state, "%d %s Error: internal error %d",
3470 detail->smtp, detail->dsn, state->err);
3471 } else if ((state->err & CLEANUP_STAT_SIZE) != 0) {
3472 state->error_mask |= MAIL_ERROR_BOUNCE;
3473 detail = cleanup_stat_detail(CLEANUP_STAT_SIZE);
3474 smtpd_chat_reply(state, "%d %s Error: %s",
3475 detail->smtp, detail->dsn, detail->text);
3476 } else if ((state->err & CLEANUP_STAT_HOPS) != 0) {
3477 state->error_mask |= MAIL_ERROR_BOUNCE;
3478 detail = cleanup_stat_detail(CLEANUP_STAT_HOPS);
3479 smtpd_chat_reply(state, "%d %s Error: %s",
3480 detail->smtp, detail->dsn, detail->text);
3481 } else if ((state->err & CLEANUP_STAT_CONT) != 0) {
3482 state->error_mask |= MAIL_ERROR_POLICY;
3483 detail = cleanup_stat_detail(CLEANUP_STAT_CONT);
3484 if (proxy) {
3485 smtpd_chat_reply(state, "%s", STR(proxy->reply));
3486 } else if (why && LEN(why) > 0) {
3487 /* Allow address-specific DSN status in header/body_checks. */
3488 smtpd_chat_reply(state, "%d %s", detail->smtp, STR(why));
3489 } else {
3490 smtpd_chat_reply(state, "%d %s Error: %s",
3491 detail->smtp, detail->dsn, detail->text);
3492 }
3493 } else if ((state->err & CLEANUP_STAT_WRITE) != 0) {
3494 state->error_mask |= MAIL_ERROR_RESOURCE;
3495 detail = cleanup_stat_detail(CLEANUP_STAT_WRITE);
3496 smtpd_chat_reply(state, "%d %s Error: %s",
3497 detail->smtp, detail->dsn, detail->text);
3498 } else if ((state->err & CLEANUP_STAT_PROXY) != 0) {
3499 state->error_mask |= MAIL_ERROR_SOFTWARE;
3500 smtpd_chat_reply(state, "%s", STR(proxy->reply));
3501 } else {
3502 state->error_mask |= MAIL_ERROR_SOFTWARE;
3503 detail = cleanup_stat_detail(CLEANUP_STAT_BAD);
3504 smtpd_chat_reply(state, "%d %s Error: internal error %d",
3505 detail->smtp, detail->dsn, state->err);
3506 }
3507
3508 /*
3509 * By popular command: the proxy's end-of-data reply.
3510 */
3511 if (proxy)
3512 msg_info("proxy-%s: %s: %s;%s",
3513 (state->err == CLEANUP_STAT_OK) ? "accept" : "reject",
3514 state->where, STR(proxy->reply), smtpd_whatsup(state));
3515
3516 /*
3517 * Cleanup. The client may send another MAIL command.
3518 */
3519 saved_err = state->err;
3520 chat_reset(state, var_smtpd_hist_thrsh);
3521 mail_reset(state);
3522 rcpt_reset(state);
3523 if (why)
3524 vstring_free(why);
3525 return (saved_err);
3526}
3527
3528/* rset_cmd - process RSET */
3529
3530static int rset_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
3531{
3532
3533 /*
3534 * Sanity checks.
3535 */
3536 if (argc != 1) {
3537 state->error_mask |= MAIL_ERROR_PROTOCOL;
3538 smtpd_chat_reply(state, "501 5.5.4 Syntax: RSET");
3539 return (-1);
3540 }
3541
3542 /*
3543 * Restore state to right after HELO/EHLO command.
3544 */
3545 chat_reset(state, var_smtpd_hist_thrsh);
3546 mail_reset(state);
3547 rcpt_reset(state);
3548 smtpd_chat_reply(state, "250 2.0.0 Ok");
3549 return (0);
3550}
3551
3552/* noop_cmd - process NOOP */
3553
3554static int noop_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
3555{
3556
3557 /*
3558 * XXX 2821 incompatibility: Section 4.1.1.9 says that NOOP can have a
3559 * parameter string which is to be ignored. NOOP instructions with
3560 * parameters? Go figure.
3561 *
3562 * RFC 2821 violates RFC 821, which says that NOOP takes no parameters.
3563 */
3564#ifdef RFC821_SYNTAX
3565
3566 /*
3567 * Sanity checks.
3568 */
3569 if (argc != 1) {
3570 state->error_mask |= MAIL_ERROR_PROTOCOL;
3571 smtpd_chat_reply(state, "501 5.5.4 Syntax: NOOP");
3572 return (-1);
3573 }
3574#endif
3575 smtpd_chat_reply(state, "250 2.0.0 Ok");
3576 return (0);
3577}
3578
3579/* vrfy_cmd - process VRFY */
3580
3581static int vrfy_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
3582{
3583 const char *err = 0;
3584 int rate;
3585 int smtputf8 = 0;
3586 int saved_flags;
3587
3588 /*
3589 * The SMTP standard (RFC 821) disallows unquoted special characters in
3590 * the VRFY argument. Common practice violates the standard, however.
3591 * Postfix accomodates common practice where it violates the standard.
3592 *
3593 * XXX Impedance mismatch! The SMTP command tokenizer preserves quoting,
3594 * whereas the recipient restrictions checks expect unquoted (internal)
3595 * address forms. Therefore we must parse out the address, or we must
3596 * stop doing recipient restriction checks and lose the opportunity to
3597 * say "user unknown" at the SMTP port.
3598 *
3599 * XXX 2821 incompatibility and brain damage: Section 4.5.1 requires that
3600 * VRFY is implemented. RFC 821 specifies that VRFY is optional. It gets
3601 * even worse: section 3.5.3 says that a 502 (command recognized but not
3602 * implemented) reply is not fully compliant.
3603 *
3604 * Thus, an RFC 2821 compliant implementation cannot refuse to supply
3605 * information in reply to VRFY queries. That is simply bogus. The only
3606 * reply we could supply is a generic 252 reply. This causes spammers to
3607 * add tons of bogus addresses to their mailing lists (spam harvesting by
3608 * trying out large lists of potential recipient names with VRFY).
3609 */
3610#define SLOPPY 0
3611
3612 if (var_disable_vrfy_cmd) {
3613 state->error_mask |= MAIL_ERROR_POLICY;
3614 smtpd_chat_reply(state, "502 5.5.1 VRFY command is disabled");
3615 return (-1);
3616 }
3617 /* Fix 20140707: handle missing address. */
3618 if (var_smtputf8_enable
3619 && (state->ehlo_discard_mask & EHLO_MASK_SMTPUTF8) == 0
3620 && argc > 1 && strcasecmp(argv[argc - 1].strval, "SMTPUTF8") == 0) {
3621 argc--; /* RFC 6531 */
3622 smtputf8 = 1;
3623 }
3624 if (argc < 2) {
3625 state->error_mask |= MAIL_ERROR_PROTOCOL;
3626 smtpd_chat_reply(state, "501 5.5.4 Syntax: VRFY address%s",
3627 var_smtputf8_enable ? " [SMTPUTF8]" : "");
3628 return (-1);
3629 }
3630
3631 /*
3632 * XXX The client event count/rate control must be consistent in its use
3633 * of client address information in connect and disconnect events. For
3634 * now we exclude xclient authorized hosts from event count/rate control.
3635 */
3636 if (SMTPD_STAND_ALONE(state) == 0
3637 && !xclient_allowed
3638 && anvil_clnt
3639 && var_smtpd_crcpt_limit > 0
3640 && !namadr_list_match(hogger_list, state->name, state->addr)
3641 && anvil_clnt_rcpt(anvil_clnt, state->service, state->addr,
3642 &rate) == ANVIL_STAT_OK
3643 && rate > var_smtpd_crcpt_limit) {
3644 state->error_mask |= MAIL_ERROR_POLICY;
3645 msg_warn("Recipient address rate limit exceeded: %d from %s for service %s",
3646 rate, state->namaddr, state->service);
3647 smtpd_chat_reply(state, "450 4.7.1 Error: too many recipients from %s",
3648 state->addr);
3649 return (-1);
3650 }
3651 if (smtpd_milters != 0 && (err = milter_other_event(smtpd_milters)) != 0
3652 && (err[0] == '5' || err[0] == '4')) {
3653 state->error_mask |= MAIL_ERROR_POLICY;
3654 smtpd_chat_reply(state, "%s", err);
3655 return (-1);
3656 }
3657 if (argc > 2)
3658 collapse_args(argc - 1, argv + 1);
3659 if (extract_addr(state, argv + 1, REJECT_EMPTY_ADDR, SLOPPY, smtputf8) != 0) {
3660 state->error_mask |= MAIL_ERROR_PROTOCOL;
3661 smtpd_chat_reply(state, "501 5.1.3 Bad recipient address syntax");
3662 return (-1);
3663 }
3664 /* Fix 20140707: Check the VRFY command. */
3665 if (smtputf8 == 0 && var_strict_smtputf8) {
3666 if (*STR(state->addr_buf) && !allascii(STR(state->addr_buf))) {
3667 mail_reset(state);
3668 smtpd_chat_reply(state, "553 5.6.7 Must declare SMTPUTF8 to send unicode address");
3669 return (-1);
3670 }
3671 }
3672 /* Use state->addr_buf, with the unquoted result from extract_addr() */
3673 if (SMTPD_STAND_ALONE(state) == 0) {
3674 /* Fix 20161206: allow UTF8 in smtpd_recipient_restrictions. */
3675 saved_flags = state->flags;
3676 if (smtputf8)
3677 state->flags |= SMTPD_FLAG_SMTPUTF8;
3678 err = smtpd_check_rcpt(state, STR(state->addr_buf));
3679 state->flags = saved_flags;
3680 if (err != 0) {
3681 smtpd_chat_reply(state, "%s", err);
3682 return (-1);
3683 }
3684 }
3685
3686 /*
3687 * XXX 2821 new feature: Section 3.5.1 requires that the VRFY response is
3688 * either "full name <user@domain>" or "user@domain". Postfix replies
3689 * with the string that was provided by the client, whether or not it is
3690 * in fully qualified domain form and the address is in <>.
3691 *
3692 * Reply code 250 is reserved for the case where the address is verified;
3693 * reply code 252 should be used when no definitive certainty exists.
3694 */
3695 smtpd_chat_reply(state, "252 2.0.0 %s", argv[1].strval);
3696 return (0);
3697}
3698
3699/* etrn_cmd - process ETRN command */
3700
3701static int etrn_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
3702{
3703 const char *err;
3704
3705 /*
3706 * Sanity checks.
3707 */
3708 if (var_helo_required && state->helo_name == 0) {
3709 state->error_mask |= MAIL_ERROR_POLICY;
3710 smtpd_chat_reply(state, "503 Error: send HELO/EHLO first");
3711 return (-1);
3712 }
3713 if (smtpd_milters != 0 && (err = milter_other_event(smtpd_milters)) != 0
3714 && (err[0] == '5' || err[0] == '4')) {
3715 state->error_mask |= MAIL_ERROR_POLICY;
3716 smtpd_chat_reply(state, "%s", err);
3717 return (-1);
3718 }
3719 if (SMTPD_IN_MAIL_TRANSACTION(state)) {
3720 state->error_mask |= MAIL_ERROR_PROTOCOL;
3721 smtpd_chat_reply(state, "503 Error: MAIL transaction in progress");
3722 return (-1);
3723 }
3724 if (argc != 2) {
3725 state->error_mask |= MAIL_ERROR_PROTOCOL;
3726 smtpd_chat_reply(state, "500 Syntax: ETRN domain");
3727 return (-1);
3728 }
3729 if (argv[1].strval[0] == '@' || argv[1].strval[0] == '#')
3730 argv[1].strval++;
3731
3732 /*
3733 * As an extension to RFC 1985 we also allow an RFC 2821 address literal
3734 * enclosed in [].
3735 *
3736 * XXX There does not appear to be an ETRN parameter to indicate that the
3737 * domain name is UTF-8.
3738 */
3739 if (!valid_hostname(argv[1].strval, DONT_GRIPE)
3740 && !valid_mailhost_literal(argv[1].strval, DONT_GRIPE)) {
3741 state->error_mask |= MAIL_ERROR_PROTOCOL;
3742 smtpd_chat_reply(state, "501 Error: invalid parameter syntax");
3743 return (-1);
3744 }
3745
3746 /*
3747 * XXX The implementation borrows heavily from the code that implements
3748 * UCE restrictions. These typically return 450 or 550 when a request is
3749 * rejected. RFC 1985 requires that 459 be sent when the server refuses
3750 * to perform the request.
3751 */
3752 if (SMTPD_STAND_ALONE(state)) {
3753 msg_warn("do not use ETRN in \"sendmail -bs\" mode");
3754 smtpd_chat_reply(state, "458 Unable to queue messages");
3755 return (-1);
3756 }
3757 if ((err = smtpd_check_etrn(state, argv[1].strval)) != 0) {
3758 smtpd_chat_reply(state, "%s", err);
3759 return (-1);
3760 }
3761 switch (flush_send_site(argv[1].strval)) {
3762 case FLUSH_STAT_OK:
3763 smtpd_chat_reply(state, "250 Queuing started");
3764 return (0);
3765 case FLUSH_STAT_DENY:
3766 msg_warn("reject: ETRN %.100s... from %s",
3767 argv[1].strval, state->namaddr);
3768 smtpd_chat_reply(state, "459 <%s>: service unavailable",
3769 argv[1].strval);
3770 return (-1);
3771 case FLUSH_STAT_BAD:
3772 msg_warn("bad ETRN %.100s... from %s", argv[1].strval, state->namaddr);
3773 smtpd_chat_reply(state, "458 Unable to queue messages");
3774 return (-1);
3775 default:
3776 msg_warn("unable to talk to fast flush service");
3777 smtpd_chat_reply(state, "458 Unable to queue messages");
3778 return (-1);
3779 }
3780}
3781
3782/* quit_cmd - process QUIT command */
3783
3784static int quit_cmd(SMTPD_STATE *state, int unused_argc, SMTPD_TOKEN *unused_argv)
3785{
3786 int out_pending = vstream_bufstat(state->client, VSTREAM_BST_OUT_PEND);
3787
3788 /*
3789 * Don't bother checking the syntax.
3790 */
3791 smtpd_chat_reply(state, "221 2.0.0 Bye");
3792
3793 /*
3794 * When the "." and quit replies are pipelined, make sure they are
3795 * flushed now, to avoid repeated mail deliveries in case of a crash in
3796 * the "clean up before disconnect" code.
3797 *
3798 * XXX When this was added in Postfix 2.1 we used vstream_fflush(). As of
3799 * Postfix 2.3 we use smtp_flush() for better error reporting.
3800 */
3801 if (out_pending > 0)
3802 smtp_flush(state->client);
3803 return (0);
3804}
3805
3806/* xclient_cmd - override SMTP client attributes */
3807
3808static int xclient_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
3809{
3810 SMTPD_TOKEN *argp;
3811 char *raw_value;
3812 char *attr_value;
3813 const char *bare_value;
3814 char *attr_name;
3815 int update_namaddr = 0;
3816 int name_status;
3817 static const NAME_CODE peer_codes[] = {
3818 XCLIENT_UNAVAILABLE, SMTPD_PEER_CODE_PERM,
3819 XCLIENT_TEMPORARY, SMTPD_PEER_CODE_TEMP,
3820 0, SMTPD_PEER_CODE_OK,
3821 };
3822 static const NAME_CODE proto_names[] = {
3823 MAIL_PROTO_SMTP, 1,
3824 MAIL_PROTO_ESMTP, 2,
3825 0, -1,
3826 };
3827 int got_helo = 0;
3828 int got_proto = 0;
3829
3830#ifdef USE_SASL_AUTH
3831 int got_login = 0;
3832 char *saved_username;
3833
3834#endif
3835
3836 /*
3837 * Sanity checks.
3838 *
3839 * XXX The XCLIENT command will override its own access control, so that
3840 * connection count/rate restrictions can be correctly simulated.
3841 */
3842 if (SMTPD_IN_MAIL_TRANSACTION(state)) {
3843 state->error_mask |= MAIL_ERROR_PROTOCOL;
3844 smtpd_chat_reply(state, "503 5.5.1 Error: MAIL transaction in progress");
3845 return (-1);
3846 }
3847 if (argc < 2) {
3848 state->error_mask |= MAIL_ERROR_PROTOCOL;
3849 smtpd_chat_reply(state, "501 5.5.4 Syntax: %s attribute=value...",
3850 XCLIENT_CMD);
3851 return (-1);
3852 }
3853 if (xclient_hosts && xclient_hosts->error)
3854 cant_permit_command(state, XCLIENT_CMD);
3855 if (!xclient_allowed) {
3856 state->error_mask |= MAIL_ERROR_POLICY;
3857 smtpd_chat_reply(state, "550 5.7.0 Error: insufficient authorization");
3858 return (-1);
3859 }
3860#define STREQ(x,y) (strcasecmp((x), (y)) == 0)
3861#define UPDATE_STR(s, v) do { \
3862 const char *_v = (v); \
3863 if (s) myfree(s); \
3864 s = (_v) ? mystrdup(_v) : 0; \
3865 } while(0)
3866
3867 /*
3868 * Initialize.
3869 */
3870 if (state->expand_buf == 0)
3871 state->expand_buf = vstring_alloc(100);
3872
3873 /*
3874 * Iterate over all attribute=value elements.
3875 */
3876 for (argp = argv + 1; argp < argv + argc; argp++) {
3877 attr_name = argp->strval;
3878
3879 if ((raw_value = split_at(attr_name, '=')) == 0 || *raw_value == 0) {
3880 state->error_mask |= MAIL_ERROR_PROTOCOL;
3881 smtpd_chat_reply(state, "501 5.5.4 Error: attribute=value expected");
3882 return (-1);
3883 }
3884 if (strlen(raw_value) > 255) {
3885 state->error_mask |= MAIL_ERROR_PROTOCOL;
3886 smtpd_chat_reply(state, "501 5.5.4 Error: attribute value too long");
3887 return (-1);
3888 }
3889
3890 /*
3891 * Backwards compatibility: Postfix prior to version 2.3 does not
3892 * xtext encode attribute values.
3893 */
3894 attr_value = xtext_unquote(state->expand_buf, raw_value) ?
3895 STR(state->expand_buf) : raw_value;
3896
3897 /*
3898 * For safety's sake mask non-printable characters. We'll do more
3899 * specific censoring later.
3900 */
3901 printable(attr_value, '?');
3902
3903 /*
3904 * NAME=substitute SMTP client hostname (and reverse/forward name, in
3905 * case of success). Also updates the client hostname lookup status
3906 * code.
3907 */
3908 if (STREQ(attr_name, XCLIENT_NAME)) {
3909 name_status = name_code(peer_codes, NAME_CODE_FLAG_NONE, attr_value);
3910 if (name_status != SMTPD_PEER_CODE_OK) {
3911 attr_value = CLIENT_NAME_UNKNOWN;
3912 } else {
3913 /* XXX EAI */
3914 if (!valid_hostname(attr_value, DONT_GRIPE)) {
3915 state->error_mask |= MAIL_ERROR_PROTOCOL;
3916 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
3917 XCLIENT_NAME, attr_value);
3918 return (-1);
3919 }
3920 }
3921 state->name_status = name_status;
3922 UPDATE_STR(state->name, attr_value);
3923 update_namaddr = 1;
3924 if (name_status == SMTPD_PEER_CODE_OK) {
3925 UPDATE_STR(state->reverse_name, attr_value);
3926 state->reverse_name_status = name_status;
3927 }
3928 }
3929
3930 /*
3931 * REVERSE_NAME=substitute SMTP client reverse hostname. Also updates
3932 * the client reverse hostname lookup status code.
3933 */
3934 else if (STREQ(attr_name, XCLIENT_REVERSE_NAME)) {
3935 name_status = name_code(peer_codes, NAME_CODE_FLAG_NONE, attr_value);
3936 if (name_status != SMTPD_PEER_CODE_OK) {
3937 attr_value = CLIENT_NAME_UNKNOWN;
3938 } else {
3939 /* XXX EAI */
3940 if (!valid_hostname(attr_value, DONT_GRIPE)) {
3941 state->error_mask |= MAIL_ERROR_PROTOCOL;
3942 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
3943 XCLIENT_REVERSE_NAME, attr_value);
3944 return (-1);
3945 }
3946 }
3947 state->reverse_name_status = name_status;
3948 UPDATE_STR(state->reverse_name, attr_value);
3949 }
3950
3951 /*
3952 * ADDR=substitute SMTP client network address.
3953 */
3954 else if (STREQ(attr_name, XCLIENT_ADDR)) {
3955 if (STREQ(attr_value, XCLIENT_UNAVAILABLE)) {
3956 attr_value = CLIENT_ADDR_UNKNOWN;
3957 bare_value = attr_value;
3958 } else {
3959 if ((bare_value = valid_mailhost_addr(attr_value, DONT_GRIPE)) == 0) {
3960 state->error_mask |= MAIL_ERROR_PROTOCOL;
3961 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
3962 XCLIENT_ADDR, attr_value);
3963 return (-1);
3964 }
3965 }
3966 UPDATE_STR(state->addr, bare_value);
3967 UPDATE_STR(state->rfc_addr, attr_value);
3968#ifdef HAS_IPV6
3969 if (strncasecmp(attr_value, INET_PROTO_NAME_IPV6 ":",
3970 sizeof(INET_PROTO_NAME_IPV6 ":") - 1) == 0)
3971 state->addr_family = AF_INET6;
3972 else
3973#endif
3974 state->addr_family = AF_INET;
3975 update_namaddr = 1;
3976 }
3977
3978 /*
3979 * PORT=substitute SMTP client port number.
3980 */
3981 else if (STREQ(attr_name, XCLIENT_PORT)) {
3982 if (STREQ(attr_value, XCLIENT_UNAVAILABLE)) {
3983 attr_value = CLIENT_PORT_UNKNOWN;
3984 } else {
3985 if (!alldig(attr_value)
3986 || strlen(attr_value) > sizeof("65535") - 1) {
3987 state->error_mask |= MAIL_ERROR_PROTOCOL;
3988 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
3989 XCLIENT_PORT, attr_value);
3990 return (-1);
3991 }
3992 }
3993 UPDATE_STR(state->port, attr_value);
3994 update_namaddr = 1;
3995 }
3996
3997 /*
3998 * HELO=substitute SMTP client HELO parameter. Censor special
3999 * characters that could mess up message headers.
4000 */
4001 else if (STREQ(attr_name, XCLIENT_HELO)) {
4002 if (STREQ(attr_value, XCLIENT_UNAVAILABLE)) {
4003 attr_value = CLIENT_HELO_UNKNOWN;
4004 } else {
4005 if (strlen(attr_value) > VALID_HOSTNAME_LEN) {
4006 state->error_mask |= MAIL_ERROR_PROTOCOL;
4007 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
4008 XCLIENT_HELO, attr_value);
4009 return (-1);
4010 }
4011 neuter(attr_value, NEUTER_CHARACTERS, '?');
4012 }
4013 UPDATE_STR(state->helo_name, attr_value);
4014 got_helo = 1;
4015 }
4016
4017 /*
4018 * PROTO=SMTP protocol name.
4019 */
4020 else if (STREQ(attr_name, XCLIENT_PROTO)) {
4021 if (name_code(proto_names, NAME_CODE_FLAG_NONE, attr_value) < 0) {
4022 state->error_mask |= MAIL_ERROR_PROTOCOL;
4023 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
4024 XCLIENT_PROTO, attr_value);
4025 return (-1);
4026 }
4027 UPDATE_STR(state->protocol, uppercase(attr_value));
4028 got_proto = 1;
4029 }
4030
4031 /*
4032 * LOGIN=sasl_username. Sets the authentication method as XCLIENT.
4033 * This can be used even if SASL authentication is turned off in
4034 * main.cf. We can't make it easier than that.
4035 */
4036#ifdef USE_SASL_AUTH
4037 else if (STREQ(attr_name, XCLIENT_LOGIN)) {
4038 if (STREQ(attr_value, XCLIENT_UNAVAILABLE) == 0) {
4039 smtpd_sasl_auth_extern(state, attr_value, XCLIENT_CMD);
4040 got_login = 1;
4041 }
4042 }
4043#endif
4044
4045 /*
4046 * Unknown attribute name. Complain.
4047 */
4048 else {
4049 state->error_mask |= MAIL_ERROR_PROTOCOL;
4050 smtpd_chat_reply(state, "501 5.5.4 Bad %s attribute name: %s",
4051 XCLIENT_CMD, attr_name);
4052 return (-1);
4053 }
4054 }
4055
4056 /*
4057 * Update the combined name and address when either has changed.
4058 */
4059 if (update_namaddr) {
4060 if (state->namaddr)
4061 myfree(state->namaddr);
4062 state->namaddr =
4063 SMTPD_BUILD_NAMADDRPORT(state->name, state->addr, state->port);
4064 }
4065
4066 /*
4067 * XXX Compatibility: when the client issues XCLIENT then we have to go
4068 * back to initial server greeting stage, otherwise we can't correctly
4069 * simulate smtpd_client_restrictions (with smtpd_delay_reject=0) and
4070 * Milter connect restrictions.
4071 *
4072 * XXX Compatibility: for accurate simulation we must also reset the HELO
4073 * information. We keep the information if it was specified in the
4074 * XCLIENT command.
4075 *
4076 * XXX The client connection count/rate control must be consistent in its
4077 * use of client address information in connect and disconnect events. We
4078 * re-evaluate xclient so that we correctly simulate connection
4079 * concurrency and connection rate restrictions.
4080 *
4081 * XXX Duplicated from smtpd_proto().
4082 */
4083 xclient_allowed =
4084 namadr_list_match(xclient_hosts, state->name, state->addr);
4085 /* NOT: tls_reset() */
4086 if (got_helo == 0)
4087 helo_reset(state);
4088 if (got_proto == 0 && strcasecmp(state->protocol, MAIL_PROTO_SMTP) != 0) {
4089 myfree(state->protocol);
4090 state->protocol = mystrdup(MAIL_PROTO_SMTP);
4091 }
4092#ifdef USE_SASL_AUTH
4093 /* XXX What if they send the parameters via multiple commands? */
4094 if (got_login == 0)
4095 smtpd_sasl_auth_reset(state);
4096 if (smtpd_sasl_is_active(state)) {
4097 if (got_login)
4098 saved_username = mystrdup(state->sasl_username);
4099 smtpd_sasl_deactivate(state);
4100#ifdef USE_TLS
4101 if (state->tls_context != 0) /* TLS from XCLIENT proxy? */
4102 smtpd_sasl_activate(state, VAR_SMTPD_SASL_TLS_OPTS,
4103 var_smtpd_sasl_tls_opts);
4104 else
4105#endif
4106 smtpd_sasl_activate(state, VAR_SMTPD_SASL_OPTS,
4107 var_smtpd_sasl_opts);
4108 if (got_login) {
4109 smtpd_sasl_auth_extern(state, saved_username, XCLIENT_CMD);
4110 myfree(saved_username);
4111 }
4112 }
4113#endif
4114 chat_reset(state, 0);
4115 mail_reset(state);
4116 rcpt_reset(state);
4117 if (smtpd_milters)
4118 milter_disc_event(smtpd_milters);
4119 vstream_longjmp(state->client, SMTP_ERR_NONE);
4120 return (0);
4121}
4122
4123/* xforward_cmd - forward logging attributes */
4124
4125static int xforward_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
4126{
4127 SMTPD_TOKEN *argp;
4128 char *raw_value;
4129 char *attr_value;
4130 const char *bare_value;
4131 char *attr_name;
4132 int updated = 0;
4133 static const NAME_CODE xforward_flags[] = {
4134 XFORWARD_NAME, SMTPD_STATE_XFORWARD_NAME,
4135 XFORWARD_ADDR, SMTPD_STATE_XFORWARD_ADDR,
4136 XFORWARD_PORT, SMTPD_STATE_XFORWARD_PORT,
4137 XFORWARD_PROTO, SMTPD_STATE_XFORWARD_PROTO,
4138 XFORWARD_HELO, SMTPD_STATE_XFORWARD_HELO,
4139 XFORWARD_IDENT, SMTPD_STATE_XFORWARD_IDENT,
4140 XFORWARD_DOMAIN, SMTPD_STATE_XFORWARD_DOMAIN,
4141 0, 0,
4142 };
4143 static const char *context_name[] = {
4144 MAIL_ATTR_RWR_LOCAL, /* Postfix internal form */
4145 MAIL_ATTR_RWR_REMOTE, /* Postfix internal form */
4146 };
4147 static const NAME_CODE xforward_to_context[] = {
4148 XFORWARD_DOM_LOCAL, 0, /* XFORWARD representation */
4149 XFORWARD_DOM_REMOTE, 1, /* XFORWARD representation */
4150 0, -1,
4151 };
4152 int flag;
4153 int context_code;
4154
4155 /*
4156 * Sanity checks.
4157 */
4158 if (SMTPD_IN_MAIL_TRANSACTION(state)) {
4159 state->error_mask |= MAIL_ERROR_PROTOCOL;
4160 smtpd_chat_reply(state, "503 5.5.1 Error: MAIL transaction in progress");
4161 return (-1);
4162 }
4163 if (argc < 2) {
4164 state->error_mask |= MAIL_ERROR_PROTOCOL;
4165 smtpd_chat_reply(state, "501 5.5.4 Syntax: %s attribute=value...",
4166 XFORWARD_CMD);
4167 return (-1);
4168 }
4169 if (xforward_hosts && xforward_hosts->error)
4170 cant_permit_command(state, XFORWARD_CMD);
4171 if (!xforward_allowed) {
4172 state->error_mask |= MAIL_ERROR_POLICY;
4173 smtpd_chat_reply(state, "550 5.7.0 Error: insufficient authorization");
4174 return (-1);
4175 }
4176
4177 /*
4178 * Initialize.
4179 */
4180 if (state->xforward.flags == 0)
4181 smtpd_xforward_preset(state);
4182 if (state->expand_buf == 0)
4183 state->expand_buf = vstring_alloc(100);
4184
4185 /*
4186 * Iterate over all attribute=value elements.
4187 */
4188 for (argp = argv + 1; argp < argv + argc; argp++) {
4189 attr_name = argp->strval;
4190
4191 if ((raw_value = split_at(attr_name, '=')) == 0 || *raw_value == 0) {
4192 state->error_mask |= MAIL_ERROR_PROTOCOL;
4193 smtpd_chat_reply(state, "501 5.5.4 Error: attribute=value expected");
4194 return (-1);
4195 }
4196 if (strlen(raw_value) > 255) {
4197 state->error_mask |= MAIL_ERROR_PROTOCOL;
4198 smtpd_chat_reply(state, "501 5.5.4 Error: attribute value too long");
4199 return (-1);
4200 }
4201
4202 /*
4203 * Backwards compatibility: Postfix prior to version 2.3 does not
4204 * xtext encode attribute values.
4205 */
4206 attr_value = xtext_unquote(state->expand_buf, raw_value) ?
4207 STR(state->expand_buf) : raw_value;
4208
4209 /*
4210 * For safety's sake mask non-printable characters. We'll do more
4211 * specific censoring later.
4212 */
4213 printable(attr_value, '?');
4214
4215 flag = name_code(xforward_flags, NAME_CODE_FLAG_NONE, attr_name);
4216 switch (flag) {
4217
4218 /*
4219 * NAME=up-stream host name, not necessarily in the DNS. Censor
4220 * special characters that could mess up message headers.
4221 */
4222 case SMTPD_STATE_XFORWARD_NAME:
4223 if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) {
4224 attr_value = CLIENT_NAME_UNKNOWN;
4225 } else {
4226 /* XXX EAI */
4227 neuter(attr_value, NEUTER_CHARACTERS, '?');
4228 if (!valid_hostname(attr_value, DONT_GRIPE)) {
4229 state->error_mask |= MAIL_ERROR_PROTOCOL;
4230 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
4231 XFORWARD_NAME, attr_value);
4232 return (-1);
4233 }
4234 }
4235 UPDATE_STR(state->xforward.name, attr_value);
4236 break;
4237
4238 /*
4239 * ADDR=up-stream host network address, not necessarily on the
4240 * Internet. Censor special characters that could mess up message
4241 * headers.
4242 */
4243 case SMTPD_STATE_XFORWARD_ADDR:
4244 if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) {
4245 attr_value = CLIENT_ADDR_UNKNOWN;
4246 bare_value = attr_value;
4247 } else {
4248 neuter(attr_value, NEUTER_CHARACTERS, '?');
4249 if ((bare_value = valid_mailhost_addr(attr_value, DONT_GRIPE)) == 0) {
4250 state->error_mask |= MAIL_ERROR_PROTOCOL;
4251 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
4252 XFORWARD_ADDR, attr_value);
4253 return (-1);
4254 }
4255 }
4256 UPDATE_STR(state->xforward.addr, bare_value);
4257 UPDATE_STR(state->xforward.rfc_addr, attr_value);
4258 break;
4259
4260 /*
4261 * PORT=up-stream port number.
4262 */
4263 case SMTPD_STATE_XFORWARD_PORT:
4264 if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) {
4265 attr_value = CLIENT_PORT_UNKNOWN;
4266 } else {
4267 if (!alldig(attr_value)
4268 || strlen(attr_value) > sizeof("65535") - 1) {
4269 state->error_mask |= MAIL_ERROR_PROTOCOL;
4270 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
4271 XFORWARD_PORT, attr_value);
4272 return (-1);
4273 }
4274 }
4275 UPDATE_STR(state->xforward.port, attr_value);
4276 break;
4277
4278 /*
4279 * HELO=hostname that the up-stream MTA introduced itself with
4280 * (not necessarily SMTP HELO). Censor special characters that
4281 * could mess up message headers.
4282 */
4283 case SMTPD_STATE_XFORWARD_HELO:
4284 if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) {
4285 attr_value = CLIENT_HELO_UNKNOWN;
4286 } else {
4287 neuter(attr_value, NEUTER_CHARACTERS, '?');
4288 }
4289 UPDATE_STR(state->xforward.helo_name, attr_value);
4290 break;
4291
4292 /*
4293 * PROTO=up-stream protocol, not necessarily SMTP or ESMTP.
4294 * Censor special characters that could mess up message headers.
4295 */
4296 case SMTPD_STATE_XFORWARD_PROTO:
4297 if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) {
4298 attr_value = CLIENT_PROTO_UNKNOWN;
4299 } else {
4300 if (strlen(attr_value) > 64) {
4301 state->error_mask |= MAIL_ERROR_PROTOCOL;
4302 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
4303 XFORWARD_PROTO, attr_value);
4304 return (-1);
4305 }
4306 neuter(attr_value, NEUTER_CHARACTERS, '?');
4307 }
4308 UPDATE_STR(state->xforward.protocol, attr_value);
4309 break;
4310
4311 /*
4312 * IDENT=local message identifier on the up-stream MTA. Censor
4313 * special characters that could mess up logging or macro
4314 * expansions.
4315 */
4316 case SMTPD_STATE_XFORWARD_IDENT:
4317 if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) {
4318 attr_value = CLIENT_IDENT_UNKNOWN;
4319 } else {
4320 neuter(attr_value, NEUTER_CHARACTERS, '?');
4321 }
4322 UPDATE_STR(state->xforward.ident, attr_value);
4323 break;
4324
4325 /*
4326 * DOMAIN=local or remote.
4327 */
4328 case SMTPD_STATE_XFORWARD_DOMAIN:
4329 if (STREQ(attr_value, XFORWARD_UNAVAILABLE))
4330 attr_value = XFORWARD_DOM_LOCAL;
4331 if ((context_code = name_code(xforward_to_context,
4332 NAME_CODE_FLAG_NONE,
4333 attr_value)) < 0) {
4334 state->error_mask |= MAIL_ERROR_PROTOCOL;
4335 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
4336 XFORWARD_DOMAIN, attr_value);
4337 return (-1);
4338 }
4339 UPDATE_STR(state->xforward.domain, context_name[context_code]);
4340 break;
4341
4342 /*
4343 * Unknown attribute name. Complain.
4344 */
4345 default:
4346 state->error_mask |= MAIL_ERROR_PROTOCOL;
4347 smtpd_chat_reply(state, "501 5.5.4 Bad %s attribute name: %s",
4348 XFORWARD_CMD, attr_name);
4349 return (-1);
4350 }
4351 updated |= flag;
4352 }
4353 state->xforward.flags |= updated;
4354
4355 /*
4356 * Update the combined name and address when either has changed. Use only
4357 * the name when no address is available.
4358 */
4359 if (updated & (SMTPD_STATE_XFORWARD_NAME | SMTPD_STATE_XFORWARD_ADDR)) {
4360 if (state->xforward.namaddr)
4361 myfree(state->xforward.namaddr);
4362 state->xforward.namaddr =
4363 IS_AVAIL_CLIENT_ADDR(state->xforward.addr) ?
4364 SMTPD_BUILD_NAMADDRPORT(state->xforward.name,
4365 state->xforward.addr,
4366 state->xforward.port) :
4367 mystrdup(state->xforward.name);
4368 }
4369 smtpd_chat_reply(state, "250 2.0.0 Ok");
4370 return (0);
4371}
4372
4373/* chat_reset - notify postmaster and reset conversation log */
4374
4375static void chat_reset(SMTPD_STATE *state, int threshold)
4376{
4377
4378 /*
4379 * Notify the postmaster if there were errors. This usually indicates a
4380 * client configuration problem, or that someone is trying nasty things.
4381 * Either is significant enough to bother the postmaster. XXX Can't
4382 * report problems when running in stand-alone mode: postmaster notices
4383 * require availability of the cleanup service.
4384 */
4385 if (state->history != 0 && state->history->argc > threshold) {
4386 if (SMTPD_STAND_ALONE(state) == 0
4387 && (state->error_mask & state->notify_mask))
4388 smtpd_chat_notify(state);
4389 state->error_mask = 0;
4390 smtpd_chat_reset(state);
4391 }
4392}
4393
4394#ifdef USE_TLS
4395
4396/* smtpd_start_tls - turn on TLS or force disconnect */
4397
4398static void smtpd_start_tls(SMTPD_STATE *state)
4399{
4400 int rate;
4401 int cert_present;
4402 int requirecert;
4403
4404#ifdef USE_TLSPROXY
4405
4406 /*
4407 * This is non-production code, for tlsproxy(8) load testing only. It
4408 * implements enough to enable some Postfix features that depend on TLS
4409 * encryption.
4410 *
4411 * To insert tlsproxy(8) between this process and the SMTP client, we swap
4412 * the file descriptors between the state->tlsproxy and state->client
4413 * VSTREAMS, so that we don't lose all the user-configurable
4414 * state->client attributes (such as longjump buffers or timeouts).
4415 *
4416 * As we implement tlsproxy support in the Postfix SMTP client we should
4417 * develop a usable abstraction that encapsulates this stream plumbing in
4418 * a library module.
4419 */
4420 vstream_control(state->tlsproxy, CA_VSTREAM_CTL_DOUBLE, CA_VSTREAM_CTL_END);
4421 vstream_control(state->client, CA_VSTREAM_CTL_SWAP_FD(state->tlsproxy),
4422 CA_VSTREAM_CTL_END);
4423 (void) vstream_fclose(state->tlsproxy); /* direct-to-client stream! */
4424 state->tlsproxy = 0;
4425
4426 /*
4427 * After plumbing the plaintext stream, receive the TLS context object.
4428 * For this we must use the same VSTREAM buffer that we also use to
4429 * receive subsequent SMTP commands. The attribute protocol is robust
4430 * enough that an adversary cannot inject their own bogus TLS context
4431 * attributes into the stream.
4432 */
4433 state->tls_context = tls_proxy_context_receive(state->client);
4434
4435 /*
4436 * XXX Maybe it is better to send this information to tlsproxy(8) when
4437 * requesting service, effectively making a remote tls_server_start()
4438 * call.
4439 */
4440 requirecert = (var_smtpd_tls_req_ccert && var_smtpd_enforce_tls);
4441
4442#else /* USE_TLSPROXY */
4443 TLS_SERVER_START_PROPS props;
4444 static char *cipher_grade;
4445 static VSTRING *cipher_exclusions;
4446
4447 /*
4448 * Wrapper mode uses a dedicated port and always requires TLS.
4449 *
4450 * XXX In non-wrapper mode, it is possible to require client certificate
4451 * verification without requiring TLS. Since certificates can be verified
4452 * only while TLS is turned on, this means that Postfix will happily
4453 * perform SMTP transactions when the client does not use the STARTTLS
4454 * command. For this reason, Postfix does not require client certificate
4455 * verification unless TLS is required.
4456 *
4457 * The cipher grade and exclusions don't change between sessions. Compute
4458 * just once and cache.
4459 */
4460#define ADD_EXCLUDE(vstr, str) \
4461 do { \
4462 if (*(str)) \
4463 vstring_sprintf_append((vstr), "%s%s", \
4464 VSTRING_LEN(vstr) ? " " : "", (str)); \
4465 } while (0)
4466
4467 if (cipher_grade == 0) {
4468 cipher_grade = var_smtpd_enforce_tls ?
4469 var_smtpd_tls_mand_ciph : var_smtpd_tls_ciph;
4470 cipher_exclusions = vstring_alloc(10);
4471 ADD_EXCLUDE(cipher_exclusions, var_smtpd_tls_excl_ciph);
4472 if (var_smtpd_enforce_tls)
4473 ADD_EXCLUDE(cipher_exclusions, var_smtpd_tls_mand_excl);
4474 if (ask_client_cert)
4475 ADD_EXCLUDE(cipher_exclusions, "aNULL");
4476 }
4477
4478 /*
4479 * Perform the TLS handshake now. Check the client certificate
4480 * requirements later, if necessary.
4481 */
4482 requirecert = (var_smtpd_tls_req_ccert && var_smtpd_enforce_tls);
4483
4484 state->tls_context =
4485 TLS_SERVER_START(&props,
4486 ctx = smtpd_tls_ctx,
4487 stream = state->client,
4488 fd = -1,
4489 timeout = var_smtpd_starttls_tmout,
4490 requirecert = requirecert,
4491 serverid = state->service,
4492 namaddr = state->namaddr,
4493 cipher_grade = cipher_grade,
4494 cipher_exclusions = STR(cipher_exclusions),
4495 mdalg = var_smtpd_tls_fpt_dgst);
4496
4497#endif /* USE_TLSPROXY */
4498
4499 /*
4500 * For new (i.e. not re-used) TLS sessions, increment the client's new
4501 * TLS session rate counter. We enforce the limit here only for human
4502 * factors reasons (reduce the WTF factor), even though it is too late to
4503 * save the CPU that was already burnt on PKI ops. The real safety
4504 * mechanism applies with future STARTTLS commands (or wrappermode
4505 * connections), prior to the SSL handshake.
4506 *
4507 * XXX The client event count/rate control must be consistent in its use of
4508 * client address information in connect and disconnect events. For now
4509 * we exclude xclient authorized hosts from event count/rate control.
4510 */
4511 if (var_smtpd_cntls_limit > 0
4512 && (state->tls_context == 0 || state->tls_context->session_reused == 0)
4513 && SMTPD_STAND_ALONE(state) == 0
4514 && !xclient_allowed
4515 && anvil_clnt
4516 && !namadr_list_match(hogger_list, state->name, state->addr)
4517 && anvil_clnt_newtls(anvil_clnt, state->service, state->addr,
4518 &rate) == ANVIL_STAT_OK
4519 && rate > var_smtpd_cntls_limit) {
4520 state->error_mask |= MAIL_ERROR_POLICY;
4521 msg_warn("New TLS session rate limit exceeded: %d from %s for service %s",
4522 rate, state->namaddr, state->service);
4523 if (state->tls_context)
4524 smtpd_chat_reply(state,
4525 "421 4.7.0 %s Error: too many new TLS sessions from %s",
4526 var_myhostname, state->namaddr);
4527 /* XXX Use regular return to signal end of session. */
4528 vstream_longjmp(state->client, SMTP_ERR_QUIET);
4529 }
4530
4531 /*
4532 * When the TLS handshake fails, the conversation is in an unknown state.
4533 * There is nothing we can do except to disconnect from the client.
4534 */
4535 if (state->tls_context == 0)
4536 vstream_longjmp(state->client, SMTP_ERR_EOF);
4537
4538 /*
4539 * If we are requiring verified client certs, enforce the constraint
4540 * here. We have a usable TLS session with the client, so no need to
4541 * disable I/O, ... we can even be polite and send "421 ...".
4542 */
4543 if (requirecert && TLS_CERT_IS_TRUSTED(state->tls_context) == 0) {
4544
4545 /*
4546 * Fetch and reject the next command (should be EHLO), then
4547 * disconnect (side-effect of returning "421 ...".
4548 */
4549 cert_present = TLS_CERT_IS_PRESENT(state->tls_context);
4550 msg_info("NOQUEUE: abort: TLS from %s: %s",
4551 state->namaddr, cert_present ?
4552 "Client certificate not trusted" :
4553 "No client certificate presented");
4554 smtpd_chat_query(state);
4555 smtpd_chat_reply(state, "421 4.7.1 %s Error: %s",
4556 var_myhostname, cert_present ?
4557 "Client certificate not trusted" :
4558 "No client certificate presented");
4559 state->error_mask |= MAIL_ERROR_POLICY;
4560 return;
4561 }
4562
4563 /*
4564 * When TLS is turned on, we may offer AUTH methods that would not be
4565 * offered within a plain-text session.
4566 *
4567 * XXX Always refresh SASL the mechanism list after STARTTLS. Dovecot
4568 * responses may depend on whether the SMTP connection is encrypted.
4569 */
4570#ifdef USE_SASL_AUTH
4571 if (var_smtpd_sasl_enable) {
4572 /* Non-wrappermode, presumably. */
4573 if (smtpd_sasl_is_active(state)) {
4574 smtpd_sasl_auth_reset(state);
4575 smtpd_sasl_deactivate(state);
4576 }
4577 /* Wrappermode and non-wrappermode. */
4578 if (smtpd_sasl_is_active(state) == 0)
4579 smtpd_sasl_activate(state, VAR_SMTPD_SASL_TLS_OPTS,
4580 var_smtpd_sasl_tls_opts);
4581 }
4582#endif
4583}
4584
4585/* starttls_cmd - respond to STARTTLS */
4586
4587static int starttls_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
4588{
4589 const char *err;
4590 int rate;
4591
4592 if (argc != 1) {
4593 state->error_mask |= MAIL_ERROR_PROTOCOL;
4594 smtpd_chat_reply(state, "501 5.5.4 Syntax: STARTTLS");
4595 return (-1);
4596 }
4597 if (smtpd_milters != 0 && (err = milter_other_event(smtpd_milters)) != 0) {
4598 if (err[0] == '5') {
4599 state->error_mask |= MAIL_ERROR_POLICY;
4600 smtpd_chat_reply(state, "%s", err);
4601 return (-1);
4602 }
4603 /* Sendmail compatibility: map 4xx into 454. */
4604 else if (err[0] == '4') {
4605 state->error_mask |= MAIL_ERROR_POLICY;
4606 smtpd_chat_reply(state, "454 4.3.0 Try again later");
4607 return (-1);
4608 }
4609 }
4610 if (state->tls_context != 0) {
4611 state->error_mask |= MAIL_ERROR_PROTOCOL;
4612 smtpd_chat_reply(state, "554 5.5.1 Error: TLS already active");
4613 return (-1);
4614 }
4615 if (var_smtpd_use_tls == 0
4616 || (state->ehlo_discard_mask & EHLO_MASK_STARTTLS)) {
4617 state->error_mask |= MAIL_ERROR_PROTOCOL;
4618 smtpd_chat_reply(state, "502 5.5.1 Error: command not implemented");
4619 return (-1);
4620 }
4621#ifdef USE_TLSPROXY
4622
4623 /*
4624 * Note: state->tlsproxy is left open when smtp_flush() calls longjmp(),
4625 * so we garbage-collect the VSTREAM in smtpd_state_reset().
4626 */
4627#define PROXY_OPEN_FLAGS \
4628 (TLS_PROXY_FLAG_ROLE_SERVER | TLS_PROXY_FLAG_SEND_CONTEXT)
4629
4630 state->tlsproxy = tls_proxy_open(var_tlsproxy_service, PROXY_OPEN_FLAGS,
4631 state->client, state->addr,
4632 state->port, var_smtpd_tmout);
4633 if (state->tlsproxy == 0) {
4634 state->error_mask |= MAIL_ERROR_SOFTWARE;
4635 /* RFC 3207 Section 4. */
4636 smtpd_chat_reply(state, "454 4.7.0 TLS not available due to local problem");
4637 return (-1);
4638 }
4639#else /* USE_TLSPROXY */
4640 if (smtpd_tls_ctx == 0) {
4641 state->error_mask |= MAIL_ERROR_SOFTWARE;
4642 /* RFC 3207 Section 4. */
4643 smtpd_chat_reply(state, "454 4.7.0 TLS not available due to local problem");
4644 return (-1);
4645 }
4646#endif /* USE_TLSPROXY */
4647
4648 /*
4649 * Enforce TLS handshake rate limit when this client negotiated too many
4650 * new TLS sessions in the recent past.
4651 *
4652 * XXX The client event count/rate control must be consistent in its use of
4653 * client address information in connect and disconnect events. For now
4654 * we exclude xclient authorized hosts from event count/rate control.
4655 */
4656 if (var_smtpd_cntls_limit > 0
4657 && SMTPD_STAND_ALONE(state) == 0
4658 && !xclient_allowed
4659 && anvil_clnt
4660 && !namadr_list_match(hogger_list, state->name, state->addr)
4661 && anvil_clnt_newtls_stat(anvil_clnt, state->service, state->addr,
4662 &rate) == ANVIL_STAT_OK
4663 && rate > var_smtpd_cntls_limit) {
4664 state->error_mask |= MAIL_ERROR_POLICY;
4665 msg_warn("Refusing STARTTLS request from %s for service %s",
4666 state->namaddr, state->service);
4667 smtpd_chat_reply(state,
4668 "454 4.7.0 Error: too many new TLS sessions from %s",
4669 state->namaddr);
4670#ifdef USE_TLSPROXY
4671 (void) vstream_fclose(state->tlsproxy);
4672 state->tlsproxy = 0;
4673#endif
4674 return (-1);
4675 }
4676 smtpd_chat_reply(state, "220 2.0.0 Ready to start TLS");
4677 /* Flush before we switch read/write routines or file descriptors. */
4678 smtp_flush(state->client);
4679 /* At this point there must not be any pending plaintext. */
4680 vstream_fpurge(state->client, VSTREAM_PURGE_BOTH);
4681
4682 /*
4683 * Reset all inputs to the initial state.
4684 *
4685 * XXX RFC 2487 does not forbid the use of STARTTLS while mail transfer is
4686 * in progress, so we have to allow it even when it makes no sense.
4687 */
4688 helo_reset(state);
4689 mail_reset(state);
4690 rcpt_reset(state);
4691
4692 /*
4693 * Turn on TLS, using code that is shared with TLS wrapper mode. This
4694 * code does not return when the handshake fails.
4695 */
4696 smtpd_start_tls(state);
4697 return (0);
4698}
4699
4700/* tls_reset - undo STARTTLS */
4701
4702static void tls_reset(SMTPD_STATE *state)
4703{
4704 int failure = 0;
4705
4706 /*
4707 * Don't waste time when we lost contact.
4708 */
4709 if (state->tls_context) {
4710 if (vstream_feof(state->client) || vstream_ferror(state->client))
4711 failure = 1;
4712 vstream_fflush(state->client); /* NOT: smtp_flush() */
4713#ifdef USE_TLSPROXY
4714 tls_proxy_context_free(state->tls_context);
4715#else
4716 tls_server_stop(smtpd_tls_ctx, state->client, var_smtpd_starttls_tmout,
4717 failure, state->tls_context);
4718#endif
4719 state->tls_context = 0;
4720 }
4721}
4722
4723#endif
4724
4725#if !defined(USE_TLS) || !defined(USE_SASL_AUTH)
4726
4727/* unimpl_cmd - dummy for functionality that is not compiled in */
4728
4729static int unimpl_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
4730{
4731
4732 /*
4733 * When a connection is closed we want to log the request counts for
4734 * unimplemented STARTTLS or AUTH commands separately, instead of logging
4735 * those commands as "unknown". By handling unimplemented commands with
4736 * this dummy function, we avoid messing up the command processing loop.
4737 */
4738 state->error_mask |= MAIL_ERROR_PROTOCOL;
4739 smtpd_chat_reply(state, "502 5.5.1 Error: command not implemented");
4740 return (-1);
4741}
4742
4743#endif
4744
4745 /*
4746 * The table of all SMTP commands that we know. Set the junk limit flag on
4747 * any command that can be repeated an arbitrary number of times without
4748 * triggering a tarpit delay of some sort.
4749 */
4750typedef struct SMTPD_CMD {
4751 char *name;
4752 int (*action) (SMTPD_STATE *, int, SMTPD_TOKEN *);
4753 int flags;
4754 int success_count;
4755 int total_count;
4756} SMTPD_CMD;
4757
4758#define SMTPD_CMD_FLAG_LIMIT (1<<0) /* limit usage */
4759#define SMTPD_CMD_FLAG_PRE_TLS (1<<1) /* allow before STARTTLS */
4760#define SMTPD_CMD_FLAG_LAST (1<<2) /* last in PIPELINING command group */
4761
4762static SMTPD_CMD smtpd_cmd_table[] = {
4763 {SMTPD_CMD_HELO, helo_cmd, SMTPD_CMD_FLAG_LIMIT | SMTPD_CMD_FLAG_PRE_TLS | SMTPD_CMD_FLAG_LAST,},
4764 {SMTPD_CMD_EHLO, ehlo_cmd, SMTPD_CMD_FLAG_LIMIT | SMTPD_CMD_FLAG_PRE_TLS | SMTPD_CMD_FLAG_LAST,},
4765 {SMTPD_CMD_XCLIENT, xclient_cmd,},
4766 {SMTPD_CMD_XFORWARD, xforward_cmd,},
4767#ifdef USE_TLS
4768 {SMTPD_CMD_STARTTLS, starttls_cmd, SMTPD_CMD_FLAG_PRE_TLS,},
4769#else
4770 {SMTPD_CMD_STARTTLS, unimpl_cmd, SMTPD_CMD_FLAG_PRE_TLS,},
4771#endif
4772#ifdef USE_SASL_AUTH
4773 {SMTPD_CMD_AUTH, smtpd_sasl_auth_cmd_wrapper,},
4774#else
4775 {SMTPD_CMD_AUTH, unimpl_cmd,},
4776#endif
4777 {SMTPD_CMD_MAIL, mail_cmd,},
4778 {SMTPD_CMD_RCPT, rcpt_cmd,},
4779 {SMTPD_CMD_DATA, data_cmd, SMTPD_CMD_FLAG_LAST,},
4780 {SMTPD_CMD_RSET, rset_cmd, SMTPD_CMD_FLAG_LIMIT,},
4781 {SMTPD_CMD_NOOP, noop_cmd, SMTPD_CMD_FLAG_LIMIT | SMTPD_CMD_FLAG_PRE_TLS | SMTPD_CMD_FLAG_LAST,},
4782 {SMTPD_CMD_VRFY, vrfy_cmd, SMTPD_CMD_FLAG_LIMIT | SMTPD_CMD_FLAG_LAST,},
4783 {SMTPD_CMD_ETRN, etrn_cmd, SMTPD_CMD_FLAG_LIMIT,},
4784 {SMTPD_CMD_QUIT, quit_cmd, SMTPD_CMD_FLAG_PRE_TLS,},
4785 {0,},
4786};
4787
4788static STRING_LIST *smtpd_noop_cmds;
4789static STRING_LIST *smtpd_forbid_cmds;
4790
4791/* smtpd_proto - talk the SMTP protocol */
4792
4793static void smtpd_proto(SMTPD_STATE *state)
4794{
4795 int argc;
4796 SMTPD_TOKEN *argv;
4797 SMTPD_CMD *cmdp;
4798 const char *ehlo_words;
4799 const char *err;
4800 int status;
4801 const char *cp;
4802
4803#ifdef USE_TLS
4804 int tls_rate;
4805
4806#endif
4807
4808 /*
4809 * Print a greeting banner and run the state machine. Read SMTP commands
4810 * one line at a time. According to the standard, a sender or recipient
4811 * address could contain an escaped newline. I think this is perverse,
4812 * and anyone depending on this is really asking for trouble.
4813 *
4814 * In case of mail protocol trouble, the program jumps back to this place,
4815 * so that it can perform the necessary cleanup before talking to the
4816 * next client. The setjmp/longjmp primitives are like a sharp tool: use
4817 * with care. I would certainly recommend against the use of
4818 * setjmp/longjmp in programs that change privilege levels.
4819 *
4820 * In case of file system trouble the program terminates after logging the
4821 * error and after informing the client. In all other cases (out of
4822 * memory, panic) the error is logged, and the msg_cleanup() exit handler
4823 * cleans up, but no attempt is made to inform the client of the nature
4824 * of the problem.
4825 */
4826 smtp_stream_setup(state->client, var_smtpd_tmout, var_smtpd_rec_deadline);
4827
4828 while ((status = vstream_setjmp(state->client)) == SMTP_ERR_NONE)
4829 /* void */ ;
4830 switch (status) {
4831
4832 default:
4833 msg_panic("smtpd_proto: unknown error reading from %s",
4834 state->namaddr);
4835 break;
4836
4837 case SMTP_ERR_TIME:
4838 state->reason = REASON_TIMEOUT;
4839 if (vstream_setjmp(state->client) == 0)
4840 smtpd_chat_reply(state, "421 4.4.2 %s Error: timeout exceeded",
4841 var_myhostname);
4842 break;
4843
4844 case SMTP_ERR_EOF:
4845 state->reason = REASON_LOST_CONNECTION;
4846 break;
4847
4848 case SMTP_ERR_QUIET:
4849 break;
4850
4851 case SMTP_ERR_DATA:
4852 msg_info("%s: reject: %s from %s: "
4853 "421 4.3.0 %s Server local data error",
4854 (state->queue_id ? state->queue_id : "NOQUEUE"),
4855 state->where, state->namaddr, var_myhostname);
4856 state->error_mask |= MAIL_ERROR_DATA;
4857 if (vstream_setjmp(state->client) == 0)
4858 smtpd_chat_reply(state, "421 4.3.0 %s Server local data error",
4859 var_myhostname);
4860 break;
4861
4862 case 0:
4863
4864 /*
4865 * Reset the per-command counters.
4866 */
4867 for (cmdp = smtpd_cmd_table; /* see below */ ; cmdp++) {
4868 cmdp->success_count = cmdp->total_count = 0;
4869 if (cmdp->name == 0)
4870 break;
4871 }
4872
4873 /*
4874 * In TLS wrapper mode, turn on TLS using code that is shared with
4875 * the STARTTLS command. This code does not return when the handshake
4876 * fails.
4877 *
4878 * Enforce TLS handshake rate limit when this client negotiated too many
4879 * new TLS sessions in the recent past.
4880 *
4881 * XXX This means we don't complete a TLS handshake just to tell the
4882 * client that we don't provide service. TLS wrapper mode is
4883 * obsolete, so we don't have to provide perfect support.
4884 */
4885#ifdef USE_TLS
4886 if (SMTPD_STAND_ALONE(state) == 0 && var_smtpd_tls_wrappermode) {
4887#ifdef USE_TLSPROXY
4888 /* We garbage-collect the VSTREAM in smtpd_state_reset() */
4889 state->tlsproxy = tls_proxy_open(var_tlsproxy_service,
4890 PROXY_OPEN_FLAGS,
4891 state->client, state->addr,
4892 state->port, var_smtpd_tmout);
4893 if (state->tlsproxy == 0) {
4894 msg_warn("Wrapper-mode request dropped from %s for service %s."
4895 " TLS context initialization failed. For details see"
4896 " earlier warnings in your logs.",
4897 state->namaddr, state->service);
4898 break;
4899 }
4900#else /* USE_TLSPROXY */
4901 if (smtpd_tls_ctx == 0) {
4902 msg_warn("Wrapper-mode request dropped from %s for service %s."
4903 " TLS context initialization failed. For details see"
4904 " earlier warnings in your logs.",
4905 state->namaddr, state->service);
4906 break;
4907 }
4908#endif /* USE_TLSPROXY */
4909 if (var_smtpd_cntls_limit > 0
4910 && !xclient_allowed
4911 && anvil_clnt
4912 && !namadr_list_match(hogger_list, state->name, state->addr)
4913 && anvil_clnt_newtls_stat(anvil_clnt, state->service,
4914 state->addr, &tls_rate) == ANVIL_STAT_OK
4915 && tls_rate > var_smtpd_cntls_limit) {
4916 state->error_mask |= MAIL_ERROR_POLICY;
4917 msg_warn("Refusing TLS service request from %s for service %s",
4918 state->namaddr, state->service);
4919 break;
4920 }
4921 smtpd_start_tls(state);
4922 }
4923#endif
4924
4925 /*
4926 * XXX The client connection count/rate control must be consistent in
4927 * its use of client address information in connect and disconnect
4928 * events. For now we exclude xclient authorized hosts from
4929 * connection count/rate control.
4930 *
4931 * XXX Must send connect/disconnect events to the anvil server even when
4932 * this service is not connection count or rate limited, otherwise it
4933 * will discard client message or recipient rate information too
4934 * early or too late.
4935 */
4936 if (SMTPD_STAND_ALONE(state) == 0
4937 && !xclient_allowed
4938 && anvil_clnt
4939 && !namadr_list_match(hogger_list, state->name, state->addr)
4940 && anvil_clnt_connect(anvil_clnt, state->service, state->addr,
4941 &state->conn_count, &state->conn_rate)
4942 == ANVIL_STAT_OK) {
4943 if (var_smtpd_cconn_limit > 0
4944 && state->conn_count > var_smtpd_cconn_limit) {
4945 state->error_mask |= MAIL_ERROR_POLICY;
4946 msg_warn("Connection concurrency limit exceeded: %d from %s for service %s",
4947 state->conn_count, state->namaddr, state->service);
4948 smtpd_chat_reply(state, "421 4.7.0 %s Error: too many connections from %s",
4949 var_myhostname, state->addr);
4950 break;
4951 }
4952 if (var_smtpd_crate_limit > 0
4953 && state->conn_rate > var_smtpd_crate_limit) {
4954 msg_warn("Connection rate limit exceeded: %d from %s for service %s",
4955 state->conn_rate, state->namaddr, state->service);
4956 smtpd_chat_reply(state, "421 4.7.0 %s Error: too many connections from %s",
4957 var_myhostname, state->addr);
4958 break;
4959 }
4960 }
4961
4962 /*
4963 * Determine what server ESMTP features to suppress, typically to
4964 * avoid inter-operability problems. Moved up so we don't send 421
4965 * immediately after sending the initial server response.
4966 */
4967 if (ehlo_discard_maps == 0
4968 || (ehlo_words = maps_find(ehlo_discard_maps, state->addr, 0)) == 0)
4969 ehlo_words = var_smtpd_ehlo_dis_words;
4970 state->ehlo_discard_mask = ehlo_mask(ehlo_words);
4971
4972 /* XXX We use the real client for connect access control. */
4973 if (SMTPD_STAND_ALONE(state) == 0
4974 && var_smtpd_delay_reject == 0
4975 && (err = smtpd_check_client(state)) != 0) {
4976 state->error_mask |= MAIL_ERROR_POLICY;
4977 state->access_denied = mystrdup(err);
4978 smtpd_chat_reply(state, "%s", state->access_denied);
4979 state->error_count++;
4980 }
4981
4982 /*
4983 * RFC 2034: the text part of all 2xx, 4xx, and 5xx SMTP responses
4984 * other than the initial greeting and any response to HELO or EHLO
4985 * are prefaced with a status code as defined in RFC 3463.
4986 */
4987
4988 /*
4989 * XXX If a Milter rejects CONNECT, reply with 220 except in case of
4990 * hard reject or 421 (disconnect). The reply persists so it will
4991 * apply to MAIL FROM and to other commands such as AUTH, STARTTLS,
4992 * and VRFY. Note: after a Milter CONNECT reject, we must not reject
4993 * HELO or EHLO, but we do change the feature list that is announced
4994 * in the EHLO response.
4995 */
4996 else {
4997 err = 0;
4998 if (smtpd_milters != 0 && SMTPD_STAND_ALONE(state) == 0) {
4999 milter_macro_callback(smtpd_milters, smtpd_milter_eval,
5000 (void *) state);
5001 if ((err = milter_conn_event(smtpd_milters, state->name,
5002 state->addr,
5003 strcmp(state->port, CLIENT_PORT_UNKNOWN) ?
5004 state->port : "0",
5005 state->addr_family)) != 0)
5006 err = check_milter_reply(state, err);
5007 }
5008 if (err && err[0] == '5') {
5009 state->error_mask |= MAIL_ERROR_POLICY;
5010 smtpd_chat_reply(state, "554 %s ESMTP not accepting connections",
5011 var_myhostname);
5012 state->error_count++;
5013 } else if (err && strncmp(err, "421", 3) == 0) {
5014 state->error_mask |= MAIL_ERROR_POLICY;
5015 smtpd_chat_reply(state, "421 %s Service unavailable - try again later",
5016 var_myhostname);
5017 /* Not: state->error_count++; */
5018 } else {
5019 smtpd_chat_reply(state, "220 %s", var_smtpd_banner);
5020 }
5021 }
5022
5023 /*
5024 * SASL initialization for plaintext mode.
5025 *
5026 * XXX Backwards compatibility: allow AUTH commands when the AUTH
5027 * announcement is suppressed via smtpd_sasl_exceptions_networks.
5028 *
5029 * XXX Safety: don't enable SASL with "smtpd_tls_auth_only = yes" and
5030 * non-TLS build.
5031 */
5032#ifdef USE_SASL_AUTH
5033 if (var_smtpd_sasl_enable && smtpd_sasl_is_active(state) == 0
5034#ifdef USE_TLS
5035 && state->tls_context == 0 && !var_smtpd_tls_auth_only
5036#else
5037 && var_smtpd_tls_auth_only == 0
5038#endif
5039 )
5040 smtpd_sasl_activate(state, VAR_SMTPD_SASL_OPTS,
5041 var_smtpd_sasl_opts);
5042#endif
5043
5044 /*
5045 * The command read/execute loop.
5046 */
5047 for (;;) {
5048 if (state->flags & SMTPD_FLAG_HANGUP)
5049 break;
5050 if (state->error_count >= var_smtpd_hard_erlim) {
5051 state->reason = REASON_ERROR_LIMIT;
5052 state->error_mask |= MAIL_ERROR_PROTOCOL;
5053 smtpd_chat_reply(state, "421 4.7.0 %s Error: too many errors",
5054 var_myhostname);
5055 pfilter_notify(1, vstream_fileno(state->client));
5056 break;
5057 }
5058 watchdog_pat();
5059 smtpd_chat_query(state);
5060 /* Safety: protect internal interfaces against malformed UTF-8. */
5061 if (var_smtputf8_enable && valid_utf8_string(STR(state->buffer),
5062 LEN(state->buffer)) == 0) {
5063 state->error_mask |= MAIL_ERROR_PROTOCOL;
5064 smtpd_chat_reply(state, "500 5.5.2 Error: bad UTF-8 syntax");
5065 state->error_count++;
5066 continue;
5067 }
5068 /* Move into smtpd_chat_query() and update session transcript. */
5069 if (smtpd_cmd_filter != 0) {
5070 for (cp = STR(state->buffer); *cp && IS_SPACE_TAB(*cp); cp++)
5071 /* void */ ;
5072 if ((cp = dict_get(smtpd_cmd_filter, cp)) != 0) {
5073 msg_info("%s: replacing command \"%.100s\" with \"%.100s\"",
5074 state->namaddr, STR(state->buffer), cp);
5075 vstring_strcpy(state->buffer, cp);
5076 } else if (smtpd_cmd_filter->error != 0) {
5077 msg_warn("%s:%s lookup error for \"%.100s\"",
5078 smtpd_cmd_filter->type, smtpd_cmd_filter->name,
5079 printable(STR(state->buffer), '?'));
5080 vstream_longjmp(state->client, SMTP_ERR_DATA);
5081 }
5082 }
5083 if ((argc = smtpd_token(vstring_str(state->buffer), &argv)) == 0) {
5084 state->error_mask |= MAIL_ERROR_PROTOCOL;
5085 smtpd_chat_reply(state, "500 5.5.2 Error: bad syntax");
5086 state->error_count++;
5087 continue;
5088 }
5089 /* Ignore smtpd_noop_cmds lookup errors. Non-critical feature. */
5090 if (*var_smtpd_noop_cmds
5091 && string_list_match(smtpd_noop_cmds, argv[0].strval)) {
5092 smtpd_chat_reply(state, "250 2.0.0 Ok");
5093 if (state->junk_cmds++ > var_smtpd_junk_cmd_limit)
5094 state->error_count++;
5095 continue;
5096 }
5097 for (cmdp = smtpd_cmd_table; cmdp->name != 0; cmdp++)
5098 if (strcasecmp(argv[0].strval, cmdp->name) == 0)
5099 break;
5100 cmdp->total_count += 1;
5101 /* Ignore smtpd_forbid_cmds lookup errors. Non-critical feature. */
5102 if (cmdp->name == 0) {
5103 state->where = SMTPD_CMD_UNKNOWN;
5104 if (is_header(argv[0].strval)
5105 || (*var_smtpd_forbid_cmds
5106 && string_list_match(smtpd_forbid_cmds, argv[0].strval))) {
5107 msg_warn("non-SMTP command from %s: %.100s",
5108 state->namaddr, vstring_str(state->buffer));
5109 smtpd_chat_reply(state, "221 2.7.0 Error: I can break rules, too. Goodbye.");
5110 break;
5111 }
5112 }
5113 /* XXX We use the real client for connect access control. */
5114 if (state->access_denied && cmdp->action != quit_cmd) {
5115 /* XXX Exception for Milter override. */
5116 if (strncmp(state->access_denied + 1, "21", 2) == 0) {
5117 smtpd_chat_reply(state, "%s", state->access_denied);
5118 continue;
5119 }
5120 smtpd_chat_reply(state, "503 5.7.0 Error: access denied for %s",
5121 state->namaddr); /* RFC 2821 Sec 3.1 */
5122 state->error_count++;
5123 continue;
5124 }
5125 /* state->access_denied == 0 || cmdp->action == quit_cmd */
5126 if (cmdp->name == 0) {
5127 if (smtpd_milters != 0
5128 && SMTPD_STAND_ALONE(state) == 0
5129 && (err = milter_unknown_event(smtpd_milters,
5130 argv[0].strval)) != 0
5131 && (err = check_milter_reply(state, err)) != 0) {
5132 smtpd_chat_reply(state, "%s", err);
5133 } else
5134 smtpd_chat_reply(state, "502 5.5.2 Error: command not recognized");
5135 state->error_mask |= MAIL_ERROR_PROTOCOL;
5136 state->error_count++;
5137 continue;
5138 }
5139#ifdef USE_TLS
5140 if (var_smtpd_enforce_tls &&
5141 !state->tls_context &&
5142 (cmdp->flags & SMTPD_CMD_FLAG_PRE_TLS) == 0) {
5143 smtpd_chat_reply(state,
5144 "530 5.7.0 Must issue a STARTTLS command first");
5145 state->error_count++;
5146 continue;
5147 }
5148#endif
5149 state->where = cmdp->name;
5150 if (SMTPD_STAND_ALONE(state) == 0
5151 && (strcasecmp(state->protocol, MAIL_PROTO_ESMTP) != 0
5152 || (cmdp->flags & SMTPD_CMD_FLAG_LAST))
5153 && (state->flags & SMTPD_FLAG_ILL_PIPELINING) == 0
5154 && (vstream_peek(state->client) > 0
5155 || peekfd(vstream_fileno(state->client)) > 0)) {
5156 if (state->expand_buf == 0)
5157 state->expand_buf = vstring_alloc(100);
5158 escape(state->expand_buf, vstream_peek_data(state->client),
5159 vstream_peek(state->client) < 100 ?
5160 vstream_peek(state->client) : 100);
5161 msg_info("improper command pipelining after %s from %s: %s",
5162 cmdp->name, state->namaddr, STR(state->expand_buf));
5163 state->flags |= SMTPD_FLAG_ILL_PIPELINING;
5164 }
5165 if (cmdp->action(state, argc, argv) != 0)
5166 state->error_count++;
5167 else
5168 cmdp->success_count += 1;
5169 if ((cmdp->flags & SMTPD_CMD_FLAG_LIMIT)
5170 && state->junk_cmds++ > var_smtpd_junk_cmd_limit)
5171 state->error_count++;
5172 if (cmdp->action == quit_cmd)
5173 break;
5174 }
5175 break;
5176 }
5177
5178 /*
5179 * XXX The client connection count/rate control must be consistent in its
5180 * use of client address information in connect and disconnect events.
5181 * For now we exclude xclient authorized hosts from connection count/rate
5182 * control.
5183 *
5184 * XXX Must send connect/disconnect events to the anvil server even when
5185 * this service is not connection count or rate limited, otherwise it
5186 * will discard client message or recipient rate information too early or
5187 * too late.
5188 */
5189 if (SMTPD_STAND_ALONE(state) == 0
5190 && !xclient_allowed
5191 && anvil_clnt
5192 && !namadr_list_match(hogger_list, state->name, state->addr))
5193 anvil_clnt_disconnect(anvil_clnt, state->service, state->addr);
5194
5195 /*
5196 * Log abnormal session termination, in case postmaster notification has
5197 * been turned off. In the log, indicate the last recognized state before
5198 * things went wrong. Don't complain about clients that go away without
5199 * sending QUIT. Log the byte count after DATA to help diagnose MTU
5200 * troubles.
5201 */
5202 if (state->reason && state->where) {
5203 if (strcmp(state->where, SMTPD_AFTER_DATA) == 0) {
5204 msg_info("%s after %s (%lu bytes) from %s", /* 2.5 compat */
5205 state->reason, SMTPD_CMD_DATA, /* 2.5 compat */
5206 (long) (state->act_size + vstream_peek(state->client)),
5207 state->namaddr);
5208 } else if (strcmp(state->where, SMTPD_AFTER_DOT)
5209 || strcmp(state->reason, REASON_LOST_CONNECTION)) {
5210 msg_info("%s after %s from %s",
5211 state->reason, state->where, state->namaddr);
5212 }
5213 }
5214
5215 /*
5216 * Cleanup whatever information the client gave us during the SMTP
5217 * dialog.
5218 *
5219 * XXX Duplicated in xclient_cmd().
5220 */
5221#ifdef USE_TLS
5222 tls_reset(state);
5223#endif
5224 helo_reset(state);
5225#ifdef USE_SASL_AUTH
5226 smtpd_sasl_auth_reset(state);
5227 if (smtpd_sasl_is_active(state)) {
5228 smtpd_sasl_deactivate(state);
5229 }
5230#endif
5231 chat_reset(state, 0);
5232 mail_reset(state);
5233 rcpt_reset(state);
5234 if (smtpd_milters)
5235 milter_disc_event(smtpd_milters);
5236}
5237
5238/* smtpd_format_cmd_stats - format per-command statistics */
5239
5240static char *smtpd_format_cmd_stats(VSTRING *buf)
5241{
5242 SMTPD_CMD *cmdp;
5243 int all_success = 0;
5244 int all_total = 0;
5245
5246 /*
5247 * Log the statistics. Note that this loop produces no output when no
5248 * command was received. We address that after the loop.
5249 */
5250 VSTRING_RESET(buf);
5251 for (cmdp = smtpd_cmd_table; /* see below */ ; cmdp++) {
5252 if (cmdp->total_count > 0) {
5253 vstring_sprintf_append(buf, " %s=%d",
5254 cmdp->name ? cmdp->name : "unknown",
5255 cmdp->success_count);
5256 if (cmdp->success_count != cmdp->total_count)
5257 vstring_sprintf_append(buf, "/%d", cmdp->total_count);
5258 all_success += cmdp->success_count;
5259 all_total += cmdp->total_count;
5260 }
5261 if (cmdp->name == 0)
5262 break;
5263 }
5264
5265 /*
5266 * Log total numbers, so that logfile analyzers will see something even
5267 * if the above loop produced no output. When no commands were received
5268 * log "0/0" to simplify the identification of abnormal sessions: any
5269 * statistics with [0-9]/ indicate that there was a problem.
5270 */
5271 vstring_sprintf_append(buf, " commands=%d", all_success);
5272 if (all_success != all_total || all_total == 0)
5273 vstring_sprintf_append(buf, "/%d", all_total);
5274 return (lowercase(STR(buf)));
5275}
5276
5277
5278/* smtpd_service - service one client */
5279
5280static void smtpd_service(VSTREAM *stream, char *service, char **argv)
5281{
5282 SMTPD_STATE state;
5283
5284 /*
5285 * Sanity check. This service takes no command-line arguments.
5286 */
5287 if (argv[0])
5288 msg_fatal("unexpected command-line argument: %s", argv[0]);
5289
5290 /*
5291 * For sanity, require that at least one of INET or INET6 is enabled.
5292 * Otherwise, we can't look up interface information, and we can't
5293 * convert names or addresses.
5294 */
5295 if (SMTPD_STAND_ALONE_STREAM(stream) == 0
5296 && inet_proto_info()->ai_family_list[0] == 0)
5297 msg_fatal("all network protocols are disabled (%s = %s)",
5298 VAR_INET_PROTOCOLS, var_inet_protocols);
5299
5300 /*
5301 * This routine runs when a client has connected to our network port, or
5302 * when the smtp server is run in stand-alone mode (input from pipe).
5303 *
5304 * Look up and sanitize the peer name, then initialize some connection-
5305 * specific state. When the name service is hosed, hostname lookup will
5306 * take a while. This is why I always run a local name server on critical
5307 * machines.
5308 */
5309 smtpd_state_init(&state, stream, service);
5310 msg_info("connect from %s", state.namaddr);
5311
5312 /*
5313 * Disable TLS when running in stand-alone mode via "sendmail -bs".
5314 */
5315 if (SMTPD_STAND_ALONE((&state))) {
5316 var_smtpd_use_tls = 0;
5317 var_smtpd_enforce_tls = 0;
5318 var_smtpd_tls_auth_only = 0;
5319 }
5320
5321 /*
5322 * XCLIENT must not override its own access control.
5323 */
5324 xclient_allowed = SMTPD_STAND_ALONE((&state)) == 0 &&
5325 namadr_list_match(xclient_hosts, state.name, state.addr);
5326
5327 /*
5328 * Overriding XFORWARD access control makes no sense, either.
5329 */
5330 xforward_allowed = SMTPD_STAND_ALONE((&state)) == 0 &&
5331 namadr_list_match(xforward_hosts, state.name, state.addr);
5332
5333 /*
5334 * See if we need to turn on verbose logging for this client.
5335 */
5336 debug_peer_check(state.name, state.addr);
5337
5338 /*
5339 * Provide the SMTP service.
5340 */
5341 if ((state.flags & SMTPD_FLAG_HANGUP) == 0)
5342 smtpd_proto(&state);
5343
5344 /*
5345 * After the client has gone away, clean up whatever we have set up at
5346 * connection time.
5347 */
5348 msg_info("disconnect from %s%s", state.namaddr,
5349 smtpd_format_cmd_stats(state.buffer));
5350 smtpd_state_reset(&state);
5351 debug_peer_restore();
5352}
5353
5354/* pre_accept - see if tables have changed */
5355
5356static void pre_accept(char *unused_name, char **unused_argv)
5357{
5358 const char *table;
5359
5360 if ((table = dict_changed_name()) != 0) {
5361 msg_info("table %s has changed -- restarting", table);
5362 exit(0);
5363 }
5364}
5365
5366/* pre_jail_init - pre-jail initialization */
5367
5368static void pre_jail_init(char *unused_name, char **unused_argv)
5369{
5370
5371 /*
5372 * Initialize blacklist/etc. patterns before entering the chroot jail, in
5373 * case they specify a filename pattern.
5374 */
5375 smtpd_noop_cmds = string_list_init(VAR_SMTPD_NOOP_CMDS, MATCH_FLAG_RETURN,
5376 var_smtpd_noop_cmds);
5377 smtpd_forbid_cmds = string_list_init(VAR_SMTPD_FORBID_CMDS,
5378 MATCH_FLAG_RETURN,
5379 var_smtpd_forbid_cmds);
5380 verp_clients = namadr_list_init(VAR_VERP_CLIENTS, MATCH_FLAG_RETURN,
5381 var_verp_clients);
5382 xclient_hosts = namadr_list_init(VAR_XCLIENT_HOSTS, MATCH_FLAG_RETURN,
5383 var_xclient_hosts);
5384 xforward_hosts = namadr_list_init(VAR_XFORWARD_HOSTS, MATCH_FLAG_RETURN,
5385 var_xforward_hosts);
5386 hogger_list = namadr_list_init(VAR_SMTPD_HOGGERS, MATCH_FLAG_RETURN
5387 | match_parent_style(VAR_SMTPD_HOGGERS),
5388 var_smtpd_hoggers);
5389
5390 /*
5391 * Open maps before dropping privileges so we can read passwords etc.
5392 *
5393 * XXX We should not do this in stand-alone (sendmail -bs) mode, but we
5394 * can't use SMTPD_STAND_ALONE(state) here. This means "sendmail -bs"
5395 * will try to connect to proxymap when invoked by root for mail
5396 * submission. To fix, we would have to pass stand-alone mode information
5397 * via different means. For now we have to tell people not to run mail
5398 * clients as root.
5399 */
5400 if (getuid() == 0 || getuid() == var_owner_uid)
5401 smtpd_check_init();
5402 smtpd_expand_init();
5403 debug_peer_init();
5404
5405 if (var_smtpd_sasl_enable)
5406#ifdef USE_SASL_AUTH
5407 smtpd_sasl_initialize();
5408
5409 if (*var_smtpd_sasl_exceptions_networks)
5410 sasl_exceptions_networks =
5411 namadr_list_init(VAR_SMTPD_SASL_EXCEPTIONS_NETWORKS,
5412 MATCH_FLAG_RETURN,
5413 var_smtpd_sasl_exceptions_networks);
5414#else
5415 msg_warn("%s is true, but SASL support is not compiled in",
5416 VAR_SMTPD_SASL_ENABLE);
5417#endif
5418
5419 if (*var_smtpd_cmd_filter)
5420 smtpd_cmd_filter = dict_open(var_smtpd_cmd_filter, O_RDONLY,
5421 DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX);
5422
5423 /*
5424 * XXX Temporary fix to pretend that we consistently implement TLS
5425 * security levels. We implement only a subset for now. If we implement
5426 * more levels, wrappermode should override only weaker TLS security
5427 * levels.
5428 *
5429 * Note: tls_level_lookup() logs no warning.
5430 */
5431 if (!var_smtpd_tls_wrappermode && *var_smtpd_tls_level) {
5432 switch (tls_level_lookup(var_smtpd_tls_level)) {
5433 default:
5434 msg_fatal("Invalid TLS level \"%s\"", var_smtpd_tls_level);
5435 /* NOTREACHED */
5436 break;
5437 case TLS_LEV_SECURE:
5438 case TLS_LEV_VERIFY:
5439 case TLS_LEV_FPRINT:
5440 msg_warn("%s: unsupported TLS level \"%s\", using \"encrypt\"",
5441 VAR_SMTPD_TLS_LEVEL, var_smtpd_tls_level);
5442 /* FALLTHROUGH */
5443 case TLS_LEV_ENCRYPT:
5444 var_smtpd_enforce_tls = var_smtpd_use_tls = 1;
5445 break;
5446 case TLS_LEV_MAY:
5447 var_smtpd_enforce_tls = 0;
5448 var_smtpd_use_tls = 1;
5449 break;
5450 case TLS_LEV_NONE:
5451 var_smtpd_enforce_tls = var_smtpd_use_tls = 0;
5452 break;
5453 }
5454 }
5455
5456 /*
5457 * With TLS wrapper mode, we run on a dedicated port and turn on TLS
5458 * before actually speaking the SMTP protocol. This implies TLS enforce
5459 * mode.
5460 *
5461 * With non-wrapper mode, TLS enforce mode implies that we don't advertise
5462 * AUTH before the client issues STARTTLS.
5463 */
5464 var_smtpd_enforce_tls = var_smtpd_tls_wrappermode || var_smtpd_enforce_tls;
5465 var_smtpd_tls_auth_only = var_smtpd_tls_auth_only || var_smtpd_enforce_tls;
5466 var_smtpd_use_tls = var_smtpd_use_tls || var_smtpd_enforce_tls;
5467
5468 /*
5469 * Keys can only be loaded when running with suitable permissions. When
5470 * called from "sendmail -bs" this is not the case, so we must not
5471 * announce STARTTLS support.
5472 */
5473 if (getuid() == 0 || getuid() == var_owner_uid) {
5474 if (var_smtpd_use_tls) {
5475#ifdef USE_TLS
5476#ifndef USE_TLSPROXY
5477 TLS_SERVER_INIT_PROPS props;
5478 const char *cert_file;
5479 int have_server_cert;
5480 int no_server_cert_ok;
5481 int require_server_cert;
5482
5483 /*
5484 * Can't use anonymous ciphers if we want client certificates.
5485 * Must use anonymous ciphers if we have no certificates.
5486 *
5487 * XXX: Ugh! Too many booleans!
5488 */
5489 ask_client_cert = require_server_cert =
5490 (var_smtpd_tls_ask_ccert
5491 || (var_smtpd_enforce_tls && var_smtpd_tls_req_ccert));
5492 if (strcasecmp(var_smtpd_tls_cert_file, "none") == 0) {
5493 no_server_cert_ok = 1;
5494 cert_file = "";
5495 } else {
5496 no_server_cert_ok = 0;
5497 cert_file = var_smtpd_tls_cert_file;
5498 }
5499 have_server_cert =
5500 (*cert_file || *var_smtpd_tls_dcert_file || *var_smtpd_tls_eccert_file);
5501
5502 /* Some TLS configuration errors are not show stoppers. */
5503 if (!have_server_cert && require_server_cert)
5504 msg_warn("Need a server cert to request client certs");
5505 if (!var_smtpd_enforce_tls && var_smtpd_tls_req_ccert)
5506 msg_warn("Can't require client certs unless TLS is required");
5507 /* After a show-stopper error, reply with 454 to STARTTLS. */
5508 if (have_server_cert || (no_server_cert_ok && !require_server_cert))
5509
5510 /*
5511 * Large parameter lists are error-prone, so we emulate a
5512 * language feature that C does not have natively: named
5513 * parameter lists.
5514 */
5515 smtpd_tls_ctx =
5516 TLS_SERVER_INIT(&props,
5517 log_param = VAR_SMTPD_TLS_LOGLEVEL,
5518 log_level = var_smtpd_tls_loglevel,
5519 verifydepth = var_smtpd_tls_ccert_vd,
5520 cache_type = TLS_MGR_SCACHE_SMTPD,
5521 set_sessid = var_smtpd_tls_set_sessid,
5522 cert_file = cert_file,
5523 key_file = var_smtpd_tls_key_file,
5524 dcert_file = var_smtpd_tls_dcert_file,
5525 dkey_file = var_smtpd_tls_dkey_file,
5526 eccert_file = var_smtpd_tls_eccert_file,
5527 eckey_file = var_smtpd_tls_eckey_file,
5528 CAfile = var_smtpd_tls_CAfile,
5529 CApath = var_smtpd_tls_CApath,
5530 dh1024_param_file
5531 = var_smtpd_tls_dh1024_param_file,
5532 dh512_param_file
5533 = var_smtpd_tls_dh512_param_file,
5534 eecdh_grade = var_smtpd_tls_eecdh,
5535 protocols = var_smtpd_enforce_tls ?
5536 var_smtpd_tls_mand_proto :
5537 var_smtpd_tls_proto,
5538 ask_ccert = ask_client_cert,
5539 mdalg = var_smtpd_tls_fpt_dgst);
5540 else
5541 msg_warn("No server certs available. TLS won't be enabled");
5542#endif /* USE_TLSPROXY */
5543#else
5544 msg_warn("TLS has been selected, but TLS support is not compiled in");
5545#endif
5546 }
5547 }
5548
5549 /*
5550 * flush client.
5551 */
5552 flush_init();
5553
5554 /*
5555 * EHLO keyword filter.
5556 */
5557 if (*var_smtpd_ehlo_dis_maps)
5558 ehlo_discard_maps = maps_create(VAR_SMTPD_EHLO_DIS_MAPS,
5559 var_smtpd_ehlo_dis_maps,
5560 DICT_FLAG_LOCK);
5561
5562 /*
5563 * DNS reply filter.
5564 */
5565 if (*var_smtpd_dns_re_filter)
5566 dns_rr_filter_compile(VAR_SMTPD_DNS_RE_FILTER,
5567 var_smtpd_dns_re_filter);
5568}
5569
5570/* post_jail_init - post-jail initialization */
5571
5572static void post_jail_init(char *unused_name, char **unused_argv)
5573{
5574
5575 /*
5576 * Initialize the receive transparency options: do we want unknown
5577 * recipient checks, address mapping, header_body_checks?.
5578 */
5579 smtpd_input_transp_mask =
5580 input_transp_mask(VAR_INPUT_TRANSP, var_input_transp);
5581
5582 /*
5583 * Initialize before-queue filter options: do we want speed-matching
5584 * support so that the entire message is received before we contact a
5585 * before-queue content filter?
5586 */
5587 if (*var_smtpd_proxy_filt)
5588 smtpd_proxy_opts =
5589 smtpd_proxy_parse_opts(VAR_SMTPD_PROXY_OPTS, var_smtpd_proxy_opts);
5590
5591 /*
5592 * Sendmail mail filters.
5593 *
5594 * XXX Should not do this when running in stand-alone mode. But that test
5595 * looks at VSTREAM_IN which is not available at this point.
5596 *
5597 * XXX Disable non_smtpd_milters when not sending our own mail filter list.
5598 */
5599 if ((smtpd_input_transp_mask & INPUT_TRANSP_MILTER) == 0) {
5600 if (*var_smtpd_milters)
5601 smtpd_milters = milter_create(var_smtpd_milters,
5602 var_milt_conn_time,
5603 var_milt_cmd_time,
5604 var_milt_msg_time,
5605 var_milt_protocol,
5606 var_milt_def_action,
5607 var_milt_conn_macros,
5608 var_milt_helo_macros,
5609 var_milt_mail_macros,
5610 var_milt_rcpt_macros,
5611 var_milt_data_macros,
5612 var_milt_eoh_macros,
5613 var_milt_eod_macros,
5614 var_milt_unk_macros,
5615 var_milt_macro_deflts);
5616 else
5617 smtpd_input_transp_mask |= INPUT_TRANSP_MILTER;
5618 }
5619
5620 /*
5621 * Sanity checks. The queue_minfree value should be at least as large as
5622 * (process_limit * message_size_limit) but that is unpractical, so we
5623 * arbitrarily pick a small multiple of the per-message size limit. This
5624 * helps to avoid many unneeded (re)transmissions.
5625 */
5626 if (var_queue_minfree > 0
5627 && var_message_limit > 0
5628 && var_queue_minfree / 1.5 < var_message_limit)
5629 msg_warn("%s(%lu) should be at least 1.5*%s(%lu)",
5630 VAR_QUEUE_MINFREE, (unsigned long) var_queue_minfree,
5631 VAR_MESSAGE_LIMIT, (unsigned long) var_message_limit);
5632
5633 /*
5634 * Connection rate management.
5635 */
5636 if (var_smtpd_crate_limit || var_smtpd_cconn_limit
5637 || var_smtpd_cmail_limit || var_smtpd_crcpt_limit
5638 || var_smtpd_cntls_limit || var_smtpd_cauth_limit)
5639 anvil_clnt = anvil_clnt_create();
5640}
5641
5642MAIL_VERSION_STAMP_DECLARE;
5643
5644/* main - the main program */
5645
5646int main(int argc, char **argv)
5647{
5648 static const CONFIG_NINT_TABLE nint_table[] = {
5649 VAR_SMTPD_SOFT_ERLIM, DEF_SMTPD_SOFT_ERLIM, &var_smtpd_soft_erlim, 1, 0,
5650 VAR_SMTPD_HARD_ERLIM, DEF_SMTPD_HARD_ERLIM, &var_smtpd_hard_erlim, 1, 0,
5651 VAR_SMTPD_JUNK_CMD, DEF_SMTPD_JUNK_CMD, &var_smtpd_junk_cmd_limit, 1, 0,
5652 VAR_VERIFY_POLL_COUNT, DEF_VERIFY_POLL_COUNT, &var_verify_poll_count, 1, 0,
5653 0,
5654 };
5655 static const CONFIG_INT_TABLE int_table[] = {
5656 VAR_SMTPD_RCPT_LIMIT, DEF_SMTPD_RCPT_LIMIT, &var_smtpd_rcpt_limit, 1, 0,
5657 VAR_QUEUE_MINFREE, DEF_QUEUE_MINFREE, &var_queue_minfree, 0, 0,
5658 VAR_UNK_CLIENT_CODE, DEF_UNK_CLIENT_CODE, &var_unk_client_code, 0, 0,
5659 VAR_BAD_NAME_CODE, DEF_BAD_NAME_CODE, &var_bad_name_code, 0, 0,
5660 VAR_UNK_NAME_CODE, DEF_UNK_NAME_CODE, &var_unk_name_code, 0, 0,
5661 VAR_UNK_ADDR_CODE, DEF_UNK_ADDR_CODE, &var_unk_addr_code, 0, 0,
5662 VAR_RELAY_CODE, DEF_RELAY_CODE, &var_relay_code, 0, 0,
5663 VAR_MAPS_RBL_CODE, DEF_MAPS_RBL_CODE, &var_maps_rbl_code, 0, 0,
5664 VAR_MAP_REJECT_CODE, DEF_MAP_REJECT_CODE, &var_map_reject_code, 0, 0,
5665 VAR_MAP_DEFER_CODE, DEF_MAP_DEFER_CODE, &var_map_defer_code, 0, 0,
5666 VAR_REJECT_CODE, DEF_REJECT_CODE, &var_reject_code, 0, 0,
5667 VAR_DEFER_CODE, DEF_DEFER_CODE, &var_defer_code, 0, 0,
5668 VAR_NON_FQDN_CODE, DEF_NON_FQDN_CODE, &var_non_fqdn_code, 0, 0,
5669 VAR_SMTPD_RCPT_OVERLIM, DEF_SMTPD_RCPT_OVERLIM, &var_smtpd_rcpt_overlim, 1, 0,
5670 VAR_SMTPD_HIST_THRSH, DEF_SMTPD_HIST_THRSH, &var_smtpd_hist_thrsh, 1, 0,
5671 VAR_UNV_FROM_RCODE, DEF_UNV_FROM_RCODE, &var_unv_from_rcode, 200, 599,
5672 VAR_UNV_RCPT_RCODE, DEF_UNV_RCPT_RCODE, &var_unv_rcpt_rcode, 200, 599,
5673 VAR_UNV_FROM_DCODE, DEF_UNV_FROM_DCODE, &var_unv_from_dcode, 200, 499,
5674 VAR_UNV_RCPT_DCODE, DEF_UNV_RCPT_DCODE, &var_unv_rcpt_dcode, 200, 499,
5675 VAR_MUL_RCPT_CODE, DEF_MUL_RCPT_CODE, &var_mul_rcpt_code, 0, 0,
5676 VAR_LOCAL_RCPT_CODE, DEF_LOCAL_RCPT_CODE, &var_local_rcpt_code, 0, 0,
5677 VAR_VIRT_ALIAS_CODE, DEF_VIRT_ALIAS_CODE, &var_virt_alias_code, 0, 0,
5678 VAR_VIRT_MAILBOX_CODE, DEF_VIRT_MAILBOX_CODE, &var_virt_mailbox_code, 0, 0,
5679 VAR_RELAY_RCPT_CODE, DEF_RELAY_RCPT_CODE, &var_relay_rcpt_code, 0, 0,
5680 VAR_PLAINTEXT_CODE, DEF_PLAINTEXT_CODE, &var_plaintext_code, 0, 0,
5681 VAR_SMTPD_CRATE_LIMIT, DEF_SMTPD_CRATE_LIMIT, &var_smtpd_crate_limit, 0, 0,
5682 VAR_SMTPD_CCONN_LIMIT, DEF_SMTPD_CCONN_LIMIT, &var_smtpd_cconn_limit, 0, 0,
5683 VAR_SMTPD_CMAIL_LIMIT, DEF_SMTPD_CMAIL_LIMIT, &var_smtpd_cmail_limit, 0, 0,
5684 VAR_SMTPD_CRCPT_LIMIT, DEF_SMTPD_CRCPT_LIMIT, &var_smtpd_crcpt_limit, 0, 0,
5685 VAR_SMTPD_CNTLS_LIMIT, DEF_SMTPD_CNTLS_LIMIT, &var_smtpd_cntls_limit, 0, 0,
5686 VAR_SMTPD_CAUTH_LIMIT, DEF_SMTPD_CAUTH_LIMIT, &var_smtpd_cauth_limit, 0, 0,
5687#ifdef USE_TLS
5688 VAR_SMTPD_TLS_CCERT_VD, DEF_SMTPD_TLS_CCERT_VD, &var_smtpd_tls_ccert_vd, 0, 0,
5689#endif
5690 VAR_SMTPD_POLICY_REQ_LIMIT, DEF_SMTPD_POLICY_REQ_LIMIT, &var_smtpd_policy_req_limit, 0, 0,
5691 VAR_SMTPD_POLICY_TRY_LIMIT, DEF_SMTPD_POLICY_TRY_LIMIT, &var_smtpd_policy_try_limit, 1, 0,
5692 0,
5693 };
5694 static const CONFIG_TIME_TABLE time_table[] = {
5695 VAR_SMTPD_TMOUT, DEF_SMTPD_TMOUT, &var_smtpd_tmout, 1, 0,
5696 VAR_SMTPD_ERR_SLEEP, DEF_SMTPD_ERR_SLEEP, &var_smtpd_err_sleep, 0, 0,
5697 VAR_SMTPD_PROXY_TMOUT, DEF_SMTPD_PROXY_TMOUT, &var_smtpd_proxy_tmout, 1, 0,
5698 VAR_VERIFY_POLL_DELAY, DEF_VERIFY_POLL_DELAY, &var_verify_poll_delay, 1, 0,
5699 VAR_SMTPD_POLICY_TMOUT, DEF_SMTPD_POLICY_TMOUT, &var_smtpd_policy_tmout, 1, 0,
5700 VAR_SMTPD_POLICY_IDLE, DEF_SMTPD_POLICY_IDLE, &var_smtpd_policy_idle, 1, 0,
5701 VAR_SMTPD_POLICY_TTL, DEF_SMTPD_POLICY_TTL, &var_smtpd_policy_ttl, 1, 0,
5702#ifdef USE_TLS
5703 VAR_SMTPD_STARTTLS_TMOUT, DEF_SMTPD_STARTTLS_TMOUT, &var_smtpd_starttls_tmout, 1, 0,
5704#endif
5705 VAR_MILT_CONN_TIME, DEF_MILT_CONN_TIME, &var_milt_conn_time, 1, 0,
5706 VAR_MILT_CMD_TIME, DEF_MILT_CMD_TIME, &var_milt_cmd_time, 1, 0,
5707 VAR_MILT_MSG_TIME, DEF_MILT_MSG_TIME, &var_milt_msg_time, 1, 0,
5708 VAR_VERIFY_SENDER_TTL, DEF_VERIFY_SENDER_TTL, &var_verify_sender_ttl, 0, 0,
5709 VAR_SMTPD_UPROXY_TMOUT, DEF_SMTPD_UPROXY_TMOUT, &var_smtpd_uproxy_tmout, 1, 0,
5710 VAR_SMTPD_POLICY_TRY_DELAY, DEF_SMTPD_POLICY_TRY_DELAY, &var_smtpd_policy_try_delay, 1, 0,
5711 0,
5712 };
5713 static const CONFIG_BOOL_TABLE bool_table[] = {
5714 VAR_HELO_REQUIRED, DEF_HELO_REQUIRED, &var_helo_required,
5715 VAR_SMTPD_DELAY_REJECT, DEF_SMTPD_DELAY_REJECT, &var_smtpd_delay_reject,
5716 VAR_STRICT_RFC821_ENV, DEF_STRICT_RFC821_ENV, &var_strict_rfc821_env,
5717 VAR_DISABLE_VRFY_CMD, DEF_DISABLE_VRFY_CMD, &var_disable_vrfy_cmd,
5718 VAR_ALLOW_UNTRUST_ROUTE, DEF_ALLOW_UNTRUST_ROUTE, &var_allow_untrust_route,
5719 VAR_SMTPD_SASL_ENABLE, DEF_SMTPD_SASL_ENABLE, &var_smtpd_sasl_enable,
5720 VAR_SMTPD_SASL_AUTH_HDR, DEF_SMTPD_SASL_AUTH_HDR, &var_smtpd_sasl_auth_hdr,
5721 VAR_BROKEN_AUTH_CLNTS, DEF_BROKEN_AUTH_CLNTS, &var_broken_auth_clients,
5722 VAR_SHOW_UNK_RCPT_TABLE, DEF_SHOW_UNK_RCPT_TABLE, &var_show_unk_rcpt_table,
5723 VAR_SMTPD_REJ_UNL_FROM, DEF_SMTPD_REJ_UNL_FROM, &var_smtpd_rej_unl_from,
5724 VAR_SMTPD_REJ_UNL_RCPT, DEF_SMTPD_REJ_UNL_RCPT, &var_smtpd_rej_unl_rcpt,
5725 VAR_SMTPD_USE_TLS, DEF_SMTPD_USE_TLS, &var_smtpd_use_tls,
5726 VAR_SMTPD_ENFORCE_TLS, DEF_SMTPD_ENFORCE_TLS, &var_smtpd_enforce_tls,
5727 VAR_SMTPD_TLS_WRAPPER, DEF_SMTPD_TLS_WRAPPER, &var_smtpd_tls_wrappermode,
5728 VAR_SMTPD_TLS_AUTH_ONLY, DEF_SMTPD_TLS_AUTH_ONLY, &var_smtpd_tls_auth_only,
5729#ifdef USE_TLS
5730 VAR_SMTPD_TLS_ACERT, DEF_SMTPD_TLS_ACERT, &var_smtpd_tls_ask_ccert,
5731 VAR_SMTPD_TLS_RCERT, DEF_SMTPD_TLS_RCERT, &var_smtpd_tls_req_ccert,
5732 VAR_SMTPD_TLS_RECHEAD, DEF_SMTPD_TLS_RECHEAD, &var_smtpd_tls_received_header,
5733 VAR_SMTPD_TLS_SET_SESSID, DEF_SMTPD_TLS_SET_SESSID, &var_smtpd_tls_set_sessid,
5734#endif
5735 VAR_SMTPD_PEERNAME_LOOKUP, DEF_SMTPD_PEERNAME_LOOKUP, &var_smtpd_peername_lookup,
5736 VAR_SMTPD_DELAY_OPEN, DEF_SMTPD_DELAY_OPEN, &var_smtpd_delay_open,
5737 VAR_SMTPD_CLIENT_PORT_LOG, DEF_SMTPD_CLIENT_PORT_LOG, &var_smtpd_client_port_log,
5738 0,
5739 };
5740 static const CONFIG_NBOOL_TABLE nbool_table[] = {
5741 VAR_SMTPD_REC_DEADLINE, DEF_SMTPD_REC_DEADLINE, &var_smtpd_rec_deadline,
5742 0,
5743 };
5744 static const CONFIG_STR_TABLE str_table[] = {
5745 VAR_SMTPD_BANNER, DEF_SMTPD_BANNER, &var_smtpd_banner, 1, 0,
5746 VAR_NOTIFY_CLASSES, DEF_NOTIFY_CLASSES, &var_notify_classes, 0, 0,
5747 VAR_CLIENT_CHECKS, DEF_CLIENT_CHECKS, &var_client_checks, 0, 0,
5748 VAR_HELO_CHECKS, DEF_HELO_CHECKS, &var_helo_checks, 0, 0,
5749 VAR_MAIL_CHECKS, DEF_MAIL_CHECKS, &var_mail_checks, 0, 0,
5750 VAR_RELAY_CHECKS, DEF_RELAY_CHECKS, &var_relay_checks, 0, 0,
5751 VAR_RCPT_CHECKS, DEF_RCPT_CHECKS, &var_rcpt_checks, 0, 0,
5752 VAR_ETRN_CHECKS, DEF_ETRN_CHECKS, &var_etrn_checks, 0, 0,
5753 VAR_DATA_CHECKS, DEF_DATA_CHECKS, &var_data_checks, 0, 0,
5754 VAR_EOD_CHECKS, DEF_EOD_CHECKS, &var_eod_checks, 0, 0,
5755 VAR_MAPS_RBL_DOMAINS, DEF_MAPS_RBL_DOMAINS, &var_maps_rbl_domains, 0, 0,
5756 VAR_RBL_REPLY_MAPS, DEF_RBL_REPLY_MAPS, &var_rbl_reply_maps, 0, 0,
5757 VAR_ERROR_RCPT, DEF_ERROR_RCPT, &var_error_rcpt, 1, 0,
5758 VAR_REST_CLASSES, DEF_REST_CLASSES, &var_rest_classes, 0, 0,
5759 VAR_CANONICAL_MAPS, DEF_CANONICAL_MAPS, &var_canonical_maps, 0, 0,
5760 VAR_SEND_CANON_MAPS, DEF_SEND_CANON_MAPS, &var_send_canon_maps, 0, 0,
5761 VAR_RCPT_CANON_MAPS, DEF_RCPT_CANON_MAPS, &var_rcpt_canon_maps, 0, 0,
5762 VAR_VIRT_ALIAS_MAPS, DEF_VIRT_ALIAS_MAPS, &var_virt_alias_maps, 0, 0,
5763 VAR_VIRT_MAILBOX_MAPS, DEF_VIRT_MAILBOX_MAPS, &var_virt_mailbox_maps, 0, 0,
5764 VAR_ALIAS_MAPS, DEF_ALIAS_MAPS, &var_alias_maps, 0, 0,
5765 VAR_LOCAL_RCPT_MAPS, DEF_LOCAL_RCPT_MAPS, &var_local_rcpt_maps, 0, 0,
5766 VAR_SMTPD_SASL_OPTS, DEF_SMTPD_SASL_OPTS, &var_smtpd_sasl_opts, 0, 0,
5767 VAR_SMTPD_SASL_PATH, DEF_SMTPD_SASL_PATH, &var_smtpd_sasl_path, 1, 0,
5768 VAR_SMTPD_SASL_SERVICE, DEF_SMTPD_SASL_SERVICE, &var_smtpd_sasl_service, 1, 0,
5769 VAR_CYRUS_CONF_PATH, DEF_CYRUS_CONF_PATH, &var_cyrus_conf_path, 0, 0,
5770 VAR_SMTPD_SASL_REALM, DEF_SMTPD_SASL_REALM, &var_smtpd_sasl_realm, 0, 0,
5771 VAR_SMTPD_SASL_EXCEPTIONS_NETWORKS, DEF_SMTPD_SASL_EXCEPTIONS_NETWORKS, &var_smtpd_sasl_exceptions_networks, 0, 0,
5772 VAR_FILTER_XPORT, DEF_FILTER_XPORT, &var_filter_xport, 0, 0,
5773 VAR_PERM_MX_NETWORKS, DEF_PERM_MX_NETWORKS, &var_perm_mx_networks, 0, 0,
5774 VAR_SMTPD_SND_AUTH_MAPS, DEF_SMTPD_SND_AUTH_MAPS, &var_smtpd_snd_auth_maps, 0, 0,
5775 VAR_SMTPD_NOOP_CMDS, DEF_SMTPD_NOOP_CMDS, &var_smtpd_noop_cmds, 0, 0,
5776 VAR_SMTPD_FORBID_CMDS, DEF_SMTPD_FORBID_CMDS, &var_smtpd_forbid_cmds, 0, 0,
5777 VAR_SMTPD_NULL_KEY, DEF_SMTPD_NULL_KEY, &var_smtpd_null_key, 0, 0,
5778 VAR_RELAY_RCPT_MAPS, DEF_RELAY_RCPT_MAPS, &var_relay_rcpt_maps, 0, 0,
5779 VAR_VERIFY_SENDER, DEF_VERIFY_SENDER, &var_verify_sender, 0, 0,
5780 VAR_VERP_CLIENTS, DEF_VERP_CLIENTS, &var_verp_clients, 0, 0,
5781 VAR_SMTPD_PROXY_FILT, DEF_SMTPD_PROXY_FILT, &var_smtpd_proxy_filt, 0, 0,
5782 VAR_SMTPD_PROXY_EHLO, DEF_SMTPD_PROXY_EHLO, &var_smtpd_proxy_ehlo, 0, 0,
5783 VAR_SMTPD_PROXY_OPTS, DEF_SMTPD_PROXY_OPTS, &var_smtpd_proxy_opts, 0, 0,
5784 VAR_INPUT_TRANSP, DEF_INPUT_TRANSP, &var_input_transp, 0, 0,
5785 VAR_XCLIENT_HOSTS, DEF_XCLIENT_HOSTS, &var_xclient_hosts, 0, 0,
5786 VAR_XFORWARD_HOSTS, DEF_XFORWARD_HOSTS, &var_xforward_hosts, 0, 0,
5787 VAR_SMTPD_HOGGERS, DEF_SMTPD_HOGGERS, &var_smtpd_hoggers, 0, 0,
5788 VAR_LOC_RWR_CLIENTS, DEF_LOC_RWR_CLIENTS, &var_local_rwr_clients, 0, 0,
5789 VAR_SMTPD_EHLO_DIS_WORDS, DEF_SMTPD_EHLO_DIS_WORDS, &var_smtpd_ehlo_dis_words, 0, 0,
5790 VAR_SMTPD_EHLO_DIS_MAPS, DEF_SMTPD_EHLO_DIS_MAPS, &var_smtpd_ehlo_dis_maps, 0, 0,
5791#ifdef USE_TLS
5792 VAR_RELAY_CCERTS, DEF_RELAY_CCERTS, &var_smtpd_relay_ccerts, 0, 0,
5793 VAR_SMTPD_SASL_TLS_OPTS, DEF_SMTPD_SASL_TLS_OPTS, &var_smtpd_sasl_tls_opts, 0, 0,
5794 VAR_SMTPD_TLS_CERT_FILE, DEF_SMTPD_TLS_CERT_FILE, &var_smtpd_tls_cert_file, 0, 0,
5795 VAR_SMTPD_TLS_KEY_FILE, DEF_SMTPD_TLS_KEY_FILE, &var_smtpd_tls_key_file, 0, 0,
5796 VAR_SMTPD_TLS_DCERT_FILE, DEF_SMTPD_TLS_DCERT_FILE, &var_smtpd_tls_dcert_file, 0, 0,
5797 VAR_SMTPD_TLS_DKEY_FILE, DEF_SMTPD_TLS_DKEY_FILE, &var_smtpd_tls_dkey_file, 0, 0,
5798 VAR_SMTPD_TLS_ECCERT_FILE, DEF_SMTPD_TLS_ECCERT_FILE, &var_smtpd_tls_eccert_file, 0, 0,
5799 VAR_SMTPD_TLS_ECKEY_FILE, DEF_SMTPD_TLS_ECKEY_FILE, &var_smtpd_tls_eckey_file, 0, 0,
5800 VAR_SMTPD_TLS_CA_FILE, DEF_SMTPD_TLS_CA_FILE, &var_smtpd_tls_CAfile, 0, 0,
5801 VAR_SMTPD_TLS_CA_PATH, DEF_SMTPD_TLS_CA_PATH, &var_smtpd_tls_CApath, 0, 0,
5802 VAR_SMTPD_TLS_CIPH, DEF_SMTPD_TLS_CIPH, &var_smtpd_tls_ciph, 1, 0,
5803 VAR_SMTPD_TLS_MAND_CIPH, DEF_SMTPD_TLS_MAND_CIPH, &var_smtpd_tls_mand_ciph, 1, 0,
5804 VAR_SMTPD_TLS_EXCL_CIPH, DEF_SMTPD_TLS_EXCL_CIPH, &var_smtpd_tls_excl_ciph, 0, 0,
5805 VAR_SMTPD_TLS_MAND_EXCL, DEF_SMTPD_TLS_MAND_EXCL, &var_smtpd_tls_mand_excl, 0, 0,
5806 VAR_SMTPD_TLS_PROTO, DEF_SMTPD_TLS_PROTO, &var_smtpd_tls_proto, 0, 0,
5807 VAR_SMTPD_TLS_MAND_PROTO, DEF_SMTPD_TLS_MAND_PROTO, &var_smtpd_tls_mand_proto, 0, 0,
5808 VAR_SMTPD_TLS_512_FILE, DEF_SMTPD_TLS_512_FILE, &var_smtpd_tls_dh512_param_file, 0, 0,
5809 VAR_SMTPD_TLS_1024_FILE, DEF_SMTPD_TLS_1024_FILE, &var_smtpd_tls_dh1024_param_file, 0, 0,
5810 VAR_SMTPD_TLS_EECDH, DEF_SMTPD_TLS_EECDH, &var_smtpd_tls_eecdh, 1, 0,
5811 VAR_SMTPD_TLS_FPT_DGST, DEF_SMTPD_TLS_FPT_DGST, &var_smtpd_tls_fpt_dgst, 1, 0,
5812 VAR_SMTPD_TLS_LOGLEVEL, DEF_SMTPD_TLS_LOGLEVEL, &var_smtpd_tls_loglevel, 0, 0,
5813#endif
5814 VAR_SMTPD_TLS_LEVEL, DEF_SMTPD_TLS_LEVEL, &var_smtpd_tls_level, 0, 0,
5815 VAR_SMTPD_SASL_TYPE, DEF_SMTPD_SASL_TYPE, &var_smtpd_sasl_type, 1, 0,
5816 VAR_SMTPD_MILTERS, DEF_SMTPD_MILTERS, &var_smtpd_milters, 0, 0,
5817 VAR_MILT_CONN_MACROS, DEF_MILT_CONN_MACROS, &var_milt_conn_macros, 0, 0,
5818 VAR_MILT_HELO_MACROS, DEF_MILT_HELO_MACROS, &var_milt_helo_macros, 0, 0,
5819 VAR_MILT_MAIL_MACROS, DEF_MILT_MAIL_MACROS, &var_milt_mail_macros, 0, 0,
5820 VAR_MILT_RCPT_MACROS, DEF_MILT_RCPT_MACROS, &var_milt_rcpt_macros, 0, 0,
5821 VAR_MILT_DATA_MACROS, DEF_MILT_DATA_MACROS, &var_milt_data_macros, 0, 0,
5822 VAR_MILT_EOH_MACROS, DEF_MILT_EOH_MACROS, &var_milt_eoh_macros, 0, 0,
5823 VAR_MILT_EOD_MACROS, DEF_MILT_EOD_MACROS, &var_milt_eod_macros, 0, 0,
5824 VAR_MILT_UNK_MACROS, DEF_MILT_UNK_MACROS, &var_milt_unk_macros, 0, 0,
5825 VAR_MILT_PROTOCOL, DEF_MILT_PROTOCOL, &var_milt_protocol, 1, 0,
5826 VAR_MILT_DEF_ACTION, DEF_MILT_DEF_ACTION, &var_milt_def_action, 1, 0,
5827 VAR_MILT_DAEMON_NAME, DEF_MILT_DAEMON_NAME, &var_milt_daemon_name, 1, 0,
5828 VAR_MILT_V, DEF_MILT_V, &var_milt_v, 1, 0,
5829 VAR_MILT_MACRO_DEFLTS, DEF_MILT_MACRO_DEFLTS, &var_milt_macro_deflts, 0, 0,
5830 VAR_STRESS, DEF_STRESS, &var_stress, 0, 0,
5831 VAR_UNV_FROM_WHY, DEF_UNV_FROM_WHY, &var_unv_from_why, 0, 0,
5832 VAR_UNV_RCPT_WHY, DEF_UNV_RCPT_WHY, &var_unv_rcpt_why, 0, 0,
5833 VAR_REJECT_TMPF_ACT, DEF_REJECT_TMPF_ACT, &var_reject_tmpf_act, 1, 0,
5834 VAR_UNK_NAME_TF_ACT, DEF_UNK_NAME_TF_ACT, &var_unk_name_tf_act, 1, 0,
5835 VAR_UNK_ADDR_TF_ACT, DEF_UNK_ADDR_TF_ACT, &var_unk_addr_tf_act, 1, 0,
5836 VAR_UNV_RCPT_TF_ACT, DEF_UNV_RCPT_TF_ACT, &var_unv_rcpt_tf_act, 1, 0,
5837 VAR_UNV_FROM_TF_ACT, DEF_UNV_FROM_TF_ACT, &var_unv_from_tf_act, 1, 0,
5838 VAR_SMTPD_CMD_FILTER, DEF_SMTPD_CMD_FILTER, &var_smtpd_cmd_filter, 0, 0,
5839#ifdef USE_TLSPROXY
5840 VAR_TLSPROXY_SERVICE, DEF_TLSPROXY_SERVICE, &var_tlsproxy_service, 1, 0,
5841#endif
5842 VAR_SMTPD_ACL_PERM_LOG, DEF_SMTPD_ACL_PERM_LOG, &var_smtpd_acl_perm_log, 0, 0,
5843 VAR_SMTPD_UPROXY_PROTO, DEF_SMTPD_UPROXY_PROTO, &var_smtpd_uproxy_proto, 0, 0,
5844 VAR_SMTPD_POLICY_DEF_ACTION, DEF_SMTPD_POLICY_DEF_ACTION, &var_smtpd_policy_def_action, 1, 0,
5845 VAR_SMTPD_POLICY_CONTEXT, DEF_SMTPD_POLICY_CONTEXT, &var_smtpd_policy_context, 0, 0,
5846 VAR_SMTPD_DNS_RE_FILTER, DEF_SMTPD_DNS_RE_FILTER, &var_smtpd_dns_re_filter, 0, 0,
5847 0,
5848 };
5849 static const CONFIG_RAW_TABLE raw_table[] = {
5850 VAR_SMTPD_EXP_FILTER, DEF_SMTPD_EXP_FILTER, &var_smtpd_exp_filter, 1, 0,
5851 VAR_DEF_RBL_REPLY, DEF_DEF_RBL_REPLY, &var_def_rbl_reply, 1, 0,
5852 VAR_SMTPD_REJ_FOOTER, DEF_SMTPD_REJ_FOOTER, &var_smtpd_rej_footer, 0, 0,
5853 0,
5854 };
5855
5856 /*
5857 * Fingerprint executables and core dumps.
5858 */
5859 MAIL_VERSION_STAMP_ALLOCATE;
5860
5861 /*
5862 * Pass control to the single-threaded service skeleton.
5863 */
5864 single_server_main(argc, argv, smtpd_service,
5865 CA_MAIL_SERVER_NINT_TABLE(nint_table),
5866 CA_MAIL_SERVER_INT_TABLE(int_table),
5867 CA_MAIL_SERVER_STR_TABLE(str_table),
5868 CA_MAIL_SERVER_RAW_TABLE(raw_table),
5869 CA_MAIL_SERVER_BOOL_TABLE(bool_table),
5870 CA_MAIL_SERVER_NBOOL_TABLE(nbool_table),
5871 CA_MAIL_SERVER_TIME_TABLE(time_table),
5872 CA_MAIL_SERVER_PRE_INIT(pre_jail_init),
5873 CA_MAIL_SERVER_PRE_ACCEPT(pre_accept),
5874 CA_MAIL_SERVER_POST_INIT(post_jail_init),
5875 0);
5876}
5877